[keycloak-user] Patterns in Resource URI's

Pedro Igor Silva psilva at redhat.com
Fri May 25 08:44:11 EDT 2018


Hi Juan,

Recently, we have added support for Claim Information Points [1].
Basically, these are component on the policy enforcer side that can be
configured to send additional claims to your policies. They allow you to
extract different information from the request as well from the access
token.

Would that work for you ?

[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_claim_information_point

On Thu, May 24, 2018 at 7:51 PM, Juan José Vázquez Delgado <
juanjo.vazquez.delgado at tecsisa.com> wrote:

> Hello everyone. I'm currently assessing KC Authz services and I stumbled
> across a use case that I'm not sure how to solve. I've found previous
> similar discussions but I couldn't find the answer that might apply
> directly to it. Basically, I have a web service that acts as resource
> server, following the UMA terminology, and I want to protect it using KC.
> This ws publishes several endpoints that follow a multi-tenant arrangement.
> Something like this:
>
> /{org_id}/products
> /{org_id}/product/{id}
> ...
> etc
>
> The ID Token obtained through the authentication OIDC flow carries the
> `org_id` data so I could provide this as additional claim to the token
> endpoint in order to get a proper RPT. However, I would like not to have to
> create a different resource per organization and uri, but just the same
> patterns as in the endpoints:
>
> /{org_id}/products
> /{org_id}/product/{id}
>
> I haven't found any information about whether it's possible to define a
> pattern also in the resource uri so that I can use it from the Evaluation
> API during the RPT issuance. I'm sure I'm missing something relevant here,
> but so far I couldn't find other solution than creating as many resources
> as organizations exist and that could be a maintanance burden in the
> future. Maybe it's just as simple as parsing the resource name, in JS or
> Drools Rules, in order to retrieve the `org_id` from the resource name.
>
> Any help would be appreciated. Thanks!.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list