[keycloak-user] API Authorization: on request or response?

[Corentin Dupont]

Hi again,
I looked everywhere but I couldn't find an Evaluation API for javascript...
In my nodeJS server, should I call UMA API endpoints?

On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <psilva at redhat.com>
wrote:

> Hi,
>
> It seems you are looking for fine-grained permissions. Could you take a
> look at this example [1] and documentation [2] ?
>
> One of the things shown by that example is how to protect resources based
> on its owner.
>
> [1] https://github.com/keycloak/keycloak/tree/master/examples/authz/photoz
> [2] http://www.keycloak.org/docs/latest/authorization_services/index.html
>
> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Hi guys,
>> another small question :)
>>
>> Suppose you have an API looking like this:
>> http://www.example.com/api/v1/cars
>>
>> Cars have an owner:
>> {
>>   name: "my car"
>>   owner: "smith"
>> }
>>
>> How to make sure that you can only get cars that are yours (you can have
>> several cars)?
>> If you make a simple GET on this endpoint, should I:
>> 1. just reply with a "Access denied" because the request is too large: it
>> could yield cars that are not yours,
>> 2. reply with "Access denied" if the response list contains some cars that
>> are not yours,
>> 3. filter the response car list with only yours?
>>
>> It seems that 1. is the simplest because it uses only the request to make
>> decisions.
>> 2. uses the response to make decision, while 3. requires the collaboration
>> of the response handler in my API server, in order to implement the
>> filtering.
>> What is the most standard way?
>>
>> I have also some trouble understanding how to implement that with Keycloak
>> protect in NodeJS.
>> Cheers!!
>> Corentin
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>