Hi Gabriel,
How do you define your policies? which adapter do you use for your app?
On Thu, Mar 30, 2017 at 11:59 PM, Gabriel Trisca <gtrisca(a)cignifi.com>
wrote:
HI there,
We've integrated Keycloak auth and authz to an existing REST service which
serves endpoints like this:
GET /api/report?country={country}
GET /api/status?country={country}
GET /api/history?country={country}
As far as I understand, the only way to protect these resources is to
create "global" resources (/api/report, /api/status etc.), but then we
can't validate if the current user is authorized to make requests for a
given "country":
The other alternative would be to include the country name in the URI, but
this would lead to duplication of resource definitions:
/api/report/country1
/api/report/country2
/api/status/country1
/api/status/country2
...
We considered including a list of the countries the user has access to as
an attribute in the access_token but that would require manually
maintaining said attribute
Is there another way that would accommodate this kind of authentication
requirements?
Thanks in advance!
--
*Gabriel Trisca, Software Developer*
Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142 USA
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user