[keycloak-user] API Authorization: on request or response?

Corentin Dupont corentin.dupont at gmail.com
Tue Nov 14 04:47:34 EST 2017 

Thanks for the documentation, after reading it I found that I can use
"entitlement" endpoints for my use case.
So I do:

TOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
-d
'username=username&password=password&grant_type=password&client_id=myclient&client_secret=myclientsecret'
"http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token" |
jq .access_token -r`

curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer
$TOKEN" -d '{
    "permissions" : [
        {
            "resource_set_name" : "Houses",
            "scopes" : [
                "view"
            ]
        }
    ]
}'  "http://localhost:8080/auth/realms/myrealm/authz/entitlement/myclient"

Is this correct? It seems to be working.
I am not sure how can I get/create resources via the API.
I tried:

curl "
http://localhost:8080/auth/realms/myrealm/authz/protection/resource_set" -H
"Authorization: Bearer $TOKEN"
But I get:
{"error":"invalid_clientId","error_description":"Client application with id
[2ecfae24-f340-4ad0-a12e-02cdc60cd8ba] does not exist in realm [myrealm]"}



On Mon, Nov 13, 2017 at 6:11 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi again,
> I looked everywhere but I couldn't find an Evaluation API for javascript...
> In my nodeJS server, should I call UMA API endpoints?
>
> On Mon, Nov 13, 2017 at 12:34 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hi,
>>
>> It seems you are looking for fine-grained permissions. Could you take a
>> look at this example [1] and documentation [2] ?
>>
>> One of the things shown by that example is how to protect resources based
>> on its owner.
>>
>> [1] https://github.com/keycloak/keycloak/tree/master/example
>> s/authz/photoz
>> [2] http://www.keycloak.org/docs/latest/authorization_services/index.html
>>
>> On Sun, Nov 12, 2017 at 7:14 PM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Hi guys,
>>> another small question :)
>>>
>>> Suppose you have an API looking like this:
>>> http://www.example.com/api/v1/cars
>>>
>>> Cars have an owner:
>>> {
>>>   name: "my car"
>>>   owner: "smith"
>>> }
>>>
>>> How to make sure that you can only get cars that are yours (you can have
>>> several cars)?
>>> If you make a simple GET on this endpoint, should I:
>>> 1. just reply with a "Access denied" because the request is too large: it
>>> could yield cars that are not yours,
>>> 2. reply with "Access denied" if the response list contains some cars
>>> that
>>> are not yours,
>>> 3. filter the response car list with only yours?
>>>
>>> It seems that 1. is the simplest because it uses only the request to make
>>> decisions.
>>> 2. uses the response to make decision, while 3. requires the
>>> collaboration
>>> of the response handler in my API server, in order to implement the
>>> filtering.
>>> What is the most standard way?
>>>
>>> I have also some trouble understanding how to implement that with
>>> Keycloak
>>> protect in NodeJS.
>>> Cheers!!
>>> Corentin
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

More information about the keycloak-user mailing list