[keycloak-user] Securing RESTful API Best Practices

Bruno Oliveira bruno at abstractj.org
Thu May 16 20:06:19 EDT 2019


Hi Farzad, have you tried one of our quickstarts[1]? I believe they may be
helpful.

[1] - https://github.com/keycloak/keycloak-quickstarts

On Thu, May 16, 2019, 8:40 PM Farzad Panahi <farzad.panahi at gmail.com> wrote:

> Hi,
>
> I am very new to Keycloak. I have a RESTful API implemented with json:api
> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>
> I just want to ask the Keycloak community for best practices when it comes
> to securing RESTful APIs.
>
> My endpoints will be something like:
> GET /api/books --> return all books the user has access for
> GET /api/books/123 --> return book with id = 123
>
> My challenge now is to figure out how to define resources in Keycloak.
> Should I add all my books as resources to Keycloak? And then define the
> permission between each user and resource?
>
> What would be the best practice to implement "GET /api/books" to return
> only the books the logged in user has access to? Should I query the
> Keycloak API to get all the resources the logged in user has access to, in
> the backend?
>
> Thanks
>
> Farzad
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list