[keycloak-user] Keycloak RBAC permission check in node API

Pedro Igor Silva psilva at redhat.com
Tue Oct 23 07:56:15 EDT 2018 

Hi,

Recently, we have added a policy enforcer component to the NodeJS adapter.
I need to work on docs though. Could you check this example [1] ?

For more details about how to obtain permissions from the server, take a
look here [2].

[1] https://github.com/keycloak/keycloak-nodejs-connect/tree/master/example
[2]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions

On Tue, Oct 23, 2018 at 8:24 AM Shubham Akodiya <sakodiya at grepruby.com>
wrote:

> Hi Team,
>
> I was integrating the keycloak with nodejs and I want to restrict the
> nodeJS API. I've added the *Authorization settings (scope, resources and
> policies) *while creating the client. But struggling, how to protect the
> API endpoints basis on the resource and scopes in nodejs app. I've declared
> following resources and scopes in the client and also, added some policies
> basis on the role.
>
> 'res:customer', 'scopes:create'],
> ['/customers(*)', 'get', 'res:customer', 'scopes:view'],
> ['/campaigns', 'post', 'res:campaign', 'scopes:create'],
> ['/campaigns(*)', 'get', 'res:campaign', 'scopes:view
>
> Although, I've checked the link
> <https://github.com/v-ladynev/keycloak-nodejs-example> and while I insight
> into the code I found that there is one API http://localhost:8080/auth/
> realms/{realmName}/authz/entitlement/{clientName}
> <http://localhost:8080/auth/realms/%7BrealmName%7D/authz/entitlement/%7BclientName%7D>
> which accepts the
> authorization token in header and permissions in body like
> '[{"resource_set_name":
> "res:campaign", "scopes": [ 'scopes:view' ]}]', so this way we could check
> that whether user have sufficient permission or not. *But while going
> through the doc, I found that the entitlement API was removed in the
> keycloak new version*.
>
> *So how can we perform the similar permission checks in new keycloak
> version. Is there any API supported just like entitlement ? or Is there any
> alternative way available to perform the protection check ?*
>
> Thanks,
> Shubham Akodiya
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list