[keycloak-user] Patterns in Resource URI's
Juan José Vázquez Delgado
juanjo.vazquez.delgado at tecsisa.com
Thu May 24 18:51:28 EDT 2018
Hello everyone. I'm currently assessing KC Authz services and I stumbled
across a use case that I'm not sure how to solve. I've found previous
similar discussions but I couldn't find the answer that might apply
directly to it. Basically, I have a web service that acts as resource
server, following the UMA terminology, and I want to protect it using KC.
This ws publishes several endpoints that follow a multi-tenant arrangement.
Something like this:
/{org_id}/products
/{org_id}/product/{id}
...
etc
The ID Token obtained through the authentication OIDC flow carries the
`org_id` data so I could provide this as additional claim to the token
endpoint in order to get a proper RPT. However, I would like not to have to
create a different resource per organization and uri, but just the same
patterns as in the endpoints:
/{org_id}/products
/{org_id}/product/{id}
I haven't found any information about whether it's possible to define a
pattern also in the resource uri so that I can use it from the Evaluation
API during the RPT issuance. I'm sure I'm missing something relevant here,
but so far I couldn't find other solution than creating as many resources
as organizations exist and that could be a maintanance burden in the
future. Maybe it's just as simple as parsing the resource name, in JS or
Drools Rules, in order to retrieve the `org_id` from the resource name.
Any help would be appreciated. Thanks!.
More information about the keycloak-user
mailing list