[keycloak-user] Viewing permissions

Pedro Igor Silva psilva at redhat.com
Fri Mar 9 10:05:18 EST 2018


I think a specific endpoint makes more sense. It seems to provide a better
SoC and more give you more flexibility as you can enhance the endpoint with
additional capabilities, if necessary, when checking for permissions.

On Fri, Mar 9, 2018 at 11:51 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> At the moment, no, the client does not know the resource name. To get the
> cars it just calls GET www.myAPI.com/cars.
> My client does not talk directly to Keycloak: there is an intermediary
> between the two called the "API server".
> So it's like that:
>
> Client --> API server -> Keycloak (and other backend components).
>
> The API server creates the authorization requests to Keycloak.
> The client just knows the endpoint name and the data format behind it (the
> format of a car, for instance).
>
> So I'm wondering if I should create a specific endpoint for the access
> checking in that API, with the corresponding data format.
> This new data format would contain something similar to the
> resource/scopes as you suggest.
> The other solution is to enhance each endpoint with a "dry run" or "check
> permission" option.
>
>
>
> On Fri, Mar 9, 2018 at 2:47 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> I see ... Does your client know the name of the resource representing the
>> "/cars/myCar" URI ?
>>
>> If so, I think you don't even need to design an API for that. But just
>> send from your client an entitlement request passing the resource/scopes
>> you want to check for access.
>>
>>
>> On Fri, Mar 9, 2018 at 9:11 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>>
>>>
>>> On Fri, Mar 9, 2018 at 12:53 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Fri, Mar 9, 2018 at 6:47 AM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Based on my current API, I can see two strategies for displaying the
>>>>> "delete" (or request access) button.
>>>>>
>>>>> I have an API like this:
>>>>>
>>>>> GET /cars
>>>>> POST /cars
>>>>> GET /cars/<carID>
>>>>> DELETE /cars/<carID>
>>>>>
>>>>> When I receive a request, I call keycloak to get authorization on the
>>>>> resource/scope.
>>>>> I also create/delete resources in Keycloak for the POST/DELETE
>>>>> requests.
>>>>>
>>>>> Regarding the display of the "delete" button on the UI, what should I
>>>>> do?
>>>>> I see two options:
>>>>> 1. Add a "dry_run" query parameter on the DELETE endpoint:
>>>>>
>>>>> DELETE /cars/myCar?dry_run=true
>>>>>
>>>>> This would query only keycloak, and return the status code (200 or
>>>>> 403). Based on that I can display my button or not.
>>>>>
>>>>
>>>> You can send a entitlement request to Keycloak asking permissions for
>>>> the resource. 200/403 will be returned accordingly.
>>>>
>>>
>>> Exactly. But my question was more on how to design an API using this
>>> feature :)
>>>
>>>
>>>
>>>>
>>>>
>>>>>
>>>>> 2. Create a specific endpoint for viewing authorizations:
>>>>>
>>>>> GET /permissions
>>>>> {
>>>>>   cars=[{myCar: ["view", "delete"]}, {anotherCar: ["view"]}]
>>>>> }
>>>>>
>>>>> What do you think?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Mar 7, 2018 at 12:31 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> I think this is the best way to go ....
>>>>>>
>>>>>> In fact, this is exactly what we are pushing now with UMA 2.0 and
>>>>>> support for asynchronous authorization. Suppose you have a "Request Access"
>>>>>> button in case the user is not allowed to perform operation on a resource
>>>>>> belonging to a different user. This button could be displayed based on a
>>>>>> "test" authorization request to which you can also specify whether or not
>>>>>> you want to start an authorization flow to get approval from resource owner.
>>>>>>
>>>>>> Regards.
>>>>>> Pedro Igor
>>>>>>
>>>>>> On Tue, Mar 6, 2018 at 4:27 PM, Corentin Dupont <
>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>> I have a question around the representation and result of
>>>>>>> permissions.
>>>>>>> Say I have an application that manages socks inventory. The UI is
>>>>>>> displaying a button to delete socks. However, some user doesn't have
>>>>>>> the
>>>>>>> right to delete socks!
>>>>>>> So, I perform a request to Keycloak to get the permission.
>>>>>>> It works well: if the user doesn't have permission, the message
>>>>>>> "authorization denied" is displayed on the screen.
>>>>>>>
>>>>>>> However, it would be nicer to remove the "delete" button entirely.
>>>>>>> My policies are quite complex and multi-dimensional: You can delete
>>>>>>> socks
>>>>>>> if you are admin, but also if it belongs to you, you belong to some
>>>>>>> groups
>>>>>>> etc.
>>>>>>> So anticipating the reply to an authorization request can be very
>>>>>>> hard.
>>>>>>>
>>>>>>> What do you suggest? Should we perform a "test" authorization request
>>>>>>> before display the "delete" button?
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>


More information about the keycloak-user mailing list