6:12 a.m.
Hello,
When implementing one or more services that, based on an access token,
expose data related to the user that's identified in the access token, is
there a "best practice" in regards to handling the available scopes?
I'm debating between having one resource server that exposes all data to
which the token grants access to, versus have a resource server "per
claim", that either returns data, or an error code, based on the presence
of a particular scope within the access token.
Is there a common approach / best practice that covers this?
Regards,
Guus
12:24 a.m.
Simplest would be to use roles, not scope, as Keycloak supports roles well,
but has less support for scope. On the endpoint side it depends on what you
are implementing it in. If it's JEE it's probably easiest to do one
endpoint per-role. In general it's probably easier to have that pattern in
any case. Devil is in the details though and I imagine any approach has
pros/cons and you'll need to decide what works best for your case.
On 28 November 2016 at 13:12, Guus der Kinderen <guus.der.kinderen(a)gmail.com
wrote:
Hello,
When implementing one or more services that, based on an access token,
expose data related to the user that's identified in the access token, is
there a "best practice" in regards to handling the available scopes?
I'm debating between having one resource server that exposes all data to
which the token grants access to, versus have a resource server "per
claim", that either returns data, or an error code, based on the presence
of a particular scope within the access token.
Is there a common approach / best practice that covers this?
Regards,
Guus
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3325
days inactive
3329
days old
1 comments
2 participants
participants (2)
-
Guus der Kinderen -
Stian Thorgersen