[keycloak-user] Securing RESTful API Best Practices

Farzad Panahi farzad.panahi at gmail.com
Thu May 16 20:32:34 EDT 2019


Tnx Bruno.
I looked into the REST examples. They are good examples but they are
simple.
I am looking for best practices for a bit more sophisticated scenario where
each user has a dynamic set of resources associate with it.
What would be the best practices to do this sort of mapping in Keycloak? To
add every individual resource into Keycloak and define individual
permissions?

On Thu, May 16, 2019 at 5:06 PM Bruno Oliveira <bruno at abstractj.org> wrote:

> Hi Farzad, have you tried one of our quickstarts[1]? I believe they may be
> helpful.
>
> [1] - https://github.com/keycloak/keycloak-quickstarts
>
> On Thu, May 16, 2019, 8:40 PM Farzad Panahi <farzad.panahi at gmail.com>
> wrote:
>
>> Hi,
>>
>> I am very new to Keycloak. I have a RESTful API implemented with json:api
>> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>>
>> I just want to ask the Keycloak community for best practices when it comes
>> to securing RESTful APIs.
>>
>> My endpoints will be something like:
>> GET /api/books --> return all books the user has access for
>> GET /api/books/123 --> return book with id = 123
>>
>> My challenge now is to figure out how to define resources in Keycloak.
>> Should I add all my books as resources to Keycloak? And then define the
>> permission between each user and resource?
>>
>> What would be the best practice to implement "GET /api/books" to return
>> only the books the logged in user has access to? Should I query the
>> Keycloak API to get all the resources the logged in user has access to, in
>> the backend?
>>
>> Thanks
>>
>> Farzad
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>


More information about the keycloak-user mailing list