[keycloak-user] Group-based permissions for resources

Christian Stier stier at fzi.de
Fri Jun 22 04:09:27 EDT 2018


Dear all,

I am in the process of implementing an authorization solution for the REST API of an application using Keycloak/OIDC.

The application manages resources based on their association with user groups. Its simplified path schema is similar to
/{organization}/{resourcename}. All users of an organization should be allowed to access its resources. My current approach is to
map organizations to Keycloak user groups.

1) Is it possible to define an authorization policy in Keycloak that handles group-based authorization for a single resource defined
for the path /{organization}/{resourcename}? My idea here was to check if the organization path of an URL matches a scope of the
calling client that is mapped from its group memberships. I looked into JS policy examples and the Evaluation API but I did not see
a way to check against path parameters.

2) Or: Do I have to (programmatically) create separate resource/policy pairs for each organization to support this type of
group-based authorization?

Thanks for any pointers and input.

Best regards
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7656 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180622/de804de4/attachment.bin 


More information about the keycloak-user mailing list