[keycloak-user] Authorization on resources that belong to different "groups"
Pedro Igor Silva
psilva at redhat.com
Fri Mar 31 10:17:39 EDT 2017
What about using patterns in your paths. Something like:
/api/report/{country}
On Thu, Mar 30, 2017 at 6:59 PM, Gabriel Trisca <gtrisca at cignifi.com> wrote:
> HI there,
>
> We've integrated Keycloak auth and authz to an existing REST service which
> serves endpoints like this:
>
> GET /api/report?country={country}
> GET /api/status?country={country}
> GET /api/history?country={country}
>
> As far as I understand, the only way to protect these resources is to
> create "global" resources (/api/report, /api/status etc.), but then we
> can't validate if the current user is authorized to make requests for a
> given "country":
>
> The other alternative would be to include the country name in the URI, but
> this would lead to duplication of resource definitions:
>
> /api/report/country1
> /api/report/country2
> /api/status/country1
> /api/status/country2
> ...
>
> We considered including a list of the countries the user has access to as
> an attribute in the access_token but that would require manually
> maintaining said attribute
>
> Is there another way that would accommodate this kind of authentication
> requirements?
>
> Thanks in advance!
>
> --
> *Gabriel Trisca, Software Developer*
> Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142 USA
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list