[keycloak-user] Best practices for permission-based resource lookup

[Lamina, Marco]

Hi folks,
I have a project with several resources that are created and owned by users. Access to these resources can be shared with groups or other users via Keycloak permissions. My API needs to implement endpoints for accessing these resources in a permission-based manner, meaning that for example GET /my-resource should return all resources that the provided access token has permission to view (e.g. via “view” scope).

Right now, this is my implementation:

  1.  POST /my-resource creates an object in my DB and a corresponding Keycloak resource via the Protection API. Resources in Keycloak are named using a schema (<resource-prefix>.<database-id>)
  2.  Send POST token endpoint with response_mode=permissions. This gives me a list of all resources the token can access, including the scopes. See [1]
  3.  Filter the list by name and scope using the resource prefix
  4.  Extract object IDs from resource names and load DB objects using the extracted IDs

While this works, I still see some issues with this approach:

  *   The resulting list of resources in 2) could potentially become quite big and increase response time
  *   The “naming schema solution” for mapping Keycloak resources to database objects seems more like a workaround

Are there best practices for doing this kind of thing with Keycloak? If not, I’d be grateful for any tips on how to turn this into a more robust / efficient solution.

Thanks,
Marco

[1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions