[keycloak-user] Authorization on resources that belong to different "groups"
Gabriel Trisca
gtrisca at cignifi.com
Thu Mar 30 17:59:32 EDT 2017
HI there,
We've integrated Keycloak auth and authz to an existing REST service which
serves endpoints like this:
GET /api/report?country={country}
GET /api/status?country={country}
GET /api/history?country={country}
As far as I understand, the only way to protect these resources is to
create "global" resources (/api/report, /api/status etc.), but then we
can't validate if the current user is authorized to make requests for a
given "country":
The other alternative would be to include the country name in the URI, but
this would lead to duplication of resource definitions:
/api/report/country1
/api/report/country2
/api/status/country1
/api/status/country2
...
We considered including a list of the countries the user has access to as
an attribute in the access_token but that would require manually
maintaining said attribute
Is there another way that would accommodate this kind of authentication
requirements?
Thanks in advance!
--
*Gabriel Trisca, Software Developer*
Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142 USA
More information about the keycloak-user
mailing list