[keycloak-user] AuthZ with realm roles
Corentin Dupont
corentin.dupont at gmail.com
Sun Nov 12 16:29:37 EST 2017
Hi guys,
yet another question... AuthZ is quite mysterious!
I am trying to protect my API with realm roles.
I have an API looking like this:
http://www.example.com/api/v1/cities/rome/houses
http://www.example.com/api/v1/cities/rome/streets
Each endpoint supports GET/PUT/POST/DELETE.
Each role must have the form:
<view|manage>:<asset>[:<city>[:<resource filter>]]
For example roles can be:
- view:houses
- view:houses:rome
- view:houses:rome:owner==smith
- manage:houses:rome
"manage": gives you all CRUD operations, while with "view" you can only
read resources.
Do you think this design is correct? Any other suggestion?
What is not practical is that I have to force my users to use this role
format.
The resource filter part is also hard to implement, has it requires to
check the content of the responses...
More information about the keycloak-user
mailing list