Re: [keycloak-user] Securing RESTful API Best Practices
Hi Farzad,
How do you check if a user has access to a book ? Is the user the book
owner or you have more conditions that should be taken into account to
grant access to books ?
[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#ex...
On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <farzad.panahi(a)gmail.com>
wrote:
Hi,
I am very new to Keycloak. I have a RESTful API implemented with json:api
<https://jsonapi.org/> spec which I want to secure using Keycloak.
I just want to ask the Keycloak community for best practices when it comes
to securing RESTful APIs.
My endpoints will be something like:
GET /api/books --> return all books the user has access for
GET /api/books/123 --> return book with id = 123
My challenge now is to figure out how to define resources in Keycloak.
Should I add all my books as resources to Keycloak? And then define the
permission between each user and resource?
What would be the best practice to implement "GET /api/books" to return
only the books the logged in user has access to? Should I query the
Keycloak API to get all the resources the logged in user has access to, in
the backend?
Thanks
Farzad
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user