Re: [keycloak-user] Securing RESTful API Best Practices

Hi Pedro, The user is not the book owner. You can think about it this way that if B is the set of all books then each user has access to a subset of B such that these subsets are not mutually exclusive and do overlap. On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <psilva(a)redhat.com&gt; wrote: > Hi Farzad, > > How do you check if a user has access to a book ? Is the user the book > owner or you have more conditions that should be taken into account to > grant access to books ? > > [1] > https://www.keycloak.org/docs/latest/authorization_services/index.html#ex... > > > On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <farzad.panahi(a)gmail.com&gt; > wrote: > >> Hi, >> >> I am very new to Keycloak. I have a RESTful API implemented with json:api >> <https://jsonapi.org/> spec which I want to secure using Keycloak. >> >> I just want to ask the Keycloak community for best practices when it >> comes >> to securing RESTful APIs. >> >> My endpoints will be something like: >> GET /api/books --> return all books the user has access for >> GET /api/books/123 --> return book with id = 123 >> >> My challenge now is to figure out how to define resources in Keycloak. >> Should I add all my books as resources to Keycloak? And then define the >> permission between each user and resource? >> >> What would be the best practice to implement "GET /api/books" to return >> only the books the logged in user has access to? Should I query the >> Keycloak API to get all the resources the logged in user has access to, >> in >> the backend? >> >> Thanks >> >> Farzad >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >