[keycloak-user] Keycloak generic authorization with patterns as role name

Manfred Zingl zingl.manfred at gmail.com
Thu Apr 25 10:18:53 EDT 2019


Hi.

I'm right now playing around with keycloak in order to evaluate if it is
suitable as an IAM and SSO solution at our company.

I learned that there are to main approaches to do authorization:
programmatic vs externalized authorization

http://lists.jboss.org/pipermail/keycloak-user/2018-October/015996.html

Externalized authorization is not possible in our case because our API is
not designed so fine grained that we could grant/restrict access on
resource level. Even if we change the API, the result for a get request
should be filtered by the roles defined in the access token transfered with
the request. So I think we have to follow the programmatic approach.
Also our Application and its resources are very generic, so I'm searching
for a solution where I can define permissions/roles very generic like by a
pattern.

for example:
  "fixProductGroup:*::edit"
or
  "fixProductGroup:/1|2|3/::view"
or even concatenated conditions
  "fixProductGroup:/5|8|13/::pricingColumn::edit"

This is not very beautiful, maybe it would be better to define such roles
as json, in order to easier parsing and checking on resource server side.
Json content is currently (Keycloak 5.0.0) not possible as role names
(internal server error) and I'm not sure if this is a very good idea at all.

What do you think? Am I totally wrong here and in which direction should I
investigate.

Thank you very much,
Mane


More information about the keycloak-user mailing list