Re: [keycloak-user] Group-based permissions for resources
You should be able to push arbitrary claims to your policies such as the
request URI. Your policy could check if {organization} is among the groups
the user is a member of. A single policy could serve for this purpose.
I've added more information about this in docs, the PR is about to be
merged. I'm also working with a quickstart that shows how to solve a
similar problem. Something like "access to /api/{user}/salary is only
allowed if current user is {user}".
On Fri, Jun 22, 2018 at 5:09 AM, Christian Stier <stier(a)fzi.de> wrote:
Dear all,
I am in the process of implementing an authorization solution for the REST
API of an application using Keycloak/OIDC.
The application manages resources based on their association with user
groups. Its simplified path schema is similar to
/{organization}/{resourcename}. All users of an organization should be
allowed to access its resources. My current approach is to
map organizations to Keycloak user groups.
1) Is it possible to define an authorization policy in Keycloak that
handles group-based authorization for a single resource defined
for the path /{organization}/{resourcename}? My idea here was to check if
the organization path of an URL matches a scope of the
calling client that is mapped from its group memberships. I looked into JS
policy examples and the Evaluation API but I did not see
a way to check against path parameters.
2) Or: Do I have to (programmatically) create separate resource/policy
pairs for each organization to support this type of
group-based authorization?
Thanks for any pointers and input.
Best regards
Christian
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user