[keycloak-user] Authorization on resources that belong to different "groups"

Gabriel Trisca gtrisca at cignifi.com
Mon Apr 10 09:27:25 EDT 2017


Hi Mehdi,

The policies are defined in the Keycloak admin panel, and we want to try to
avoid defining access control in out application code as much as possible.
The application uses Dropwizard, so we use the Jetty adapter.

Thanks!

On Mon, Apr 10, 2017 at 8:27 AM, Mehdi Sheikhalishahi <
mehdi.alishahi at gmail.com> wrote:

> Hi Gabriel,
>
> How do you define your policies? which adapter do you use for your app?
>
> On Thu, Mar 30, 2017 at 11:59 PM, Gabriel Trisca <gtrisca at cignifi.com>
> wrote:
>
>> HI there,
>>
>> We've integrated Keycloak auth and authz to an existing REST service which
>> serves endpoints like this:
>>
>> GET /api/report?country={country}
>> GET /api/status?country={country}
>> GET /api/history?country={country}
>>
>> As far as I understand, the only way to protect these resources is to
>> create "global" resources (/api/report, /api/status etc.), but then we
>> can't validate if the current user is authorized to make requests for a
>> given "country":
>>
>> The other alternative would be to include the country name in the URI, but
>> this would lead to duplication of resource definitions:
>>
>> /api/report/country1
>> /api/report/country2
>> /api/status/country1
>> /api/status/country2
>> ...
>>
>> We considered including a list of the countries the user has access to as
>> an attribute in the access_token but that would require manually
>> maintaining said attribute
>>
>> Is there another way that would accommodate this kind of authentication
>> requirements?
>>
>> Thanks in advance!
>>
>> --
>> *Gabriel Trisca, Software Developer*
>> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


-- 
*Gabriel Trisca, Software Developer*
Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142  USA
P: +1 857-209-2685 • M: +1 301-433-2221 | www.cignifi.com


More information about the keycloak-user mailing list