[keycloak-user] Fine grain permission on "listing" endpoint
Domenico Briganti
dometec at gmail.com
Fri Apr 27 10:20:08 EDT 2018
Hi list,
I have a question about Authorization Services. I made a demo project
in which I list maintenance tasks of some machines. I would like to
call the list endpoint (/api/tasks) and return all tasks if the current
logged user has the role ADMIN, and only the tasks assigned to the
current logged user if this is not ADMIN.
I've read the Authorization Services guide and I think I understand how
to manage permissions on single resource (es GET/POST/DELETE on
/api/tasks/1 https://github.com/keycloak/keycloak/blob/3.4.3.Final/exam
ples/authz/photoz/photoz-restful-
api/src/main/java/org/keycloak/example/photoz/album/AlbumService.java#L
102-L134).
Now I would like to move the condition that manager this filter in my
code (pseudo code:
if (!request.isUserInRole(Roles.ADMIN))
tasksFilter += " and t.assigned = " + request.getUserPrincipal();
)
into Keycloak, and having my application ask Keycloak for some sort of
filter to add to sql query for filtering the output listing the tasks.
It's possible?
What I've seen until now is that with Protection API I can check if the
current request can go to Protected Resource or not. What I need
instead is to get a value whereby I can filter the Protected Resources
returned.
I hope I explained myself, available for clarification.
Thanks,
Domenico
More information about the keycloak-user
mailing list