[keycloak-user] Authorization on resources that belong to different "groups"

Pedro Igor Silva psilva at redhat.com
Sat Apr 1 11:19:44 EDT 2017


I need to check this out, but I think you can configure your enforcer as
follows:

{
  "name" : "Country Resource",
  "path" : "/api/{country}/report",
  "methods" : [
    {
      "method": "GET",
      "scopes" : ["report"]
    }
  ]
},
{
  "name" : "Country Resource",
  "path" : "/api/{country}/status",
  "methods" : [
    {
      "method": "GET",
      "scopes" : ["status"]
    }
  ]
}

You are basically defining in the enforcer config specific paths in the
application and the scopes for each HTTP verb. In the case above, all paths
are protected by permissions applied to "Country Resource" but the scope
depends on the sub-path.


On Sat, Apr 1, 2017 at 10:56 AM, Bill Burke <bburke at redhat.com> wrote:

> Maybe define a resource for each country then a scope each for "report",
> "status" and "history"?   You'd have to handle authorization yourself in
> your app by looking at the RPT though.
>
>
> On 3/31/17 10:17 AM, Pedro Igor Silva wrote:
> > What about using patterns in your paths. Something like:
> >
> >      /api/report/{country}
> >
> >
> > On Thu, Mar 30, 2017 at 6:59 PM, Gabriel Trisca <gtrisca at cignifi.com>
> wrote:
> >
> >> HI there,
> >>
> >> We've integrated Keycloak auth and authz to an existing REST service
> which
> >> serves endpoints like this:
> >>
> >> GET /api/report?country={country}
> >> GET /api/status?country={country}
> >> GET /api/history?country={country}
> >>
> >> As far as I understand, the only way to protect these resources is to
> >> create "global" resources (/api/report, /api/status etc.), but then we
> >> can't validate if the current user is authorized to make requests for a
> >> given "country":
> >>
> >> The other alternative would be to include the country name in the URI,
> but
> >> this would lead to duplication of resource definitions:
> >>
> >> /api/report/country1
> >> /api/report/country2
> >> /api/status/country1
> >> /api/status/country2
> >> ...
> >>
> >> We considered including a list of the countries the user has access to
> as
> >> an attribute in the access_token but that would require manually
> >> maintaining said attribute
> >>
> >> Is there another way that would accommodate this kind of authentication
> >> requirements?
> >>
> >> Thanks in advance!
> >>
> >> --
> >> *Gabriel Trisca, Software Developer*
> >> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list