Generally Yes. First of all carefully study Authorization Docs.
According to you case:
/my/entity/{entity_id} - this is your resource and you will have to
define it in keycloak
Any access to resources is based on permissions of user. (In other words
KC adapters will check whether user has or hasn't permission to
specified resource). So the main question is how user will acquire his
permissions to resources. This could be achieved via policies, so in you
case there could be a policy that checks whether user in group1, and if
so grant him permission to read (HTTP_GET) resource.
Take a look to
https://keycloak.gitbooks.io/documentation/authorization_services/index.html
(it takes from me reasonable amount of time and experiments to "get the
picture", so don't be hurry)
You should also check out authz examples from keycloak repo.
If you will try to use Spring Security adapter read this thread
http://lists.jboss.org/pipermail/keycloak-user/2017-March/010107.html
about some issues that i faced with this adapter and suitable solutions.
On 13.04.2017 17:25, Antoine Carton wrote:
Hello,
Is there a way to manage fine grained authorizations with Keycloak like in
the following scenario:
- A user user1 belongs to a group group1
- group1 has READ access to the REST path: GET /my/entity/{entity_id}
- group1 has not WRITE access to this path: POST /my/entity/{entity_id}
This means that all users of that group can only READ at that path,
whatever the {entity_id} is.
The question is:
Is it possible to allow user1 ONLY of group1, to have WRITE access to a
specific entity_id.
The purpose is to use the Spring Boot/Spring Security Adapter and replace
what Spring security does with @PreAuthorize annotation for example.
Thank you for your help,
Best regards
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user