Re: [keycloak-user] API Authorization: on request or response?

Hi again, I looked everywhere but I couldn't find an Evaluation API for javascript... In my nodeJS server, should I call UMA API endpoints? On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <psilva(a)redhat.com&gt; wrote: > Hi, > > It seems you are looking for fine-grained permissions. Could you take a > look at this example [1] and documentation [2] ? > > One of the things shown by that example is how to protect resources based > on its owner. > > [1] https://github.com/keycloak/keycloak/tree/master/example > s/authz/photoz > [2] http://www.keycloak.org/docs/latest/authorization_services/index.html > > On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont < > corentin.dupont(a)gmail.com&gt; wrote: > >> Hi guys, >> another small question :) >> >> Suppose you have an API looking like this: >> http://www.example.com/api/v1/cars >> >> Cars have an owner: >> { >> name: "my car" >> owner: "smith" >> } >> >> How to make sure that you can only get cars that are yours (you can have >> several cars)? >> If you make a simple GET on this endpoint, should I: >> 1. just reply with a "Access denied" because the request is too large: it >> could yield cars that are not yours, >> 2. reply with "Access denied" if the response list contains some cars >> that >> are not yours, >> 3. filter the response car list with only yours? >> >> It seems that 1. is the simplest because it uses only the request to make >> decisions. >> 2. uses the response to make decision, while 3. requires the >> collaboration >> of the response handler in my API server, in order to implement the >> filtering. >> What is the most standard way? >> >> I have also some trouble understanding how to implement that with >> Keycloak >> protect in NodeJS. >> Cheers!! >> Corentin >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >