[keycloak-user] Securing RESTful API Best Practices
Pedro Igor Silva
psilva at redhat.com
Fri May 17 09:50:54 EDT 2019
Hi Farzad,
How do you check if a user has access to a book ? Is the user the book
owner or you have more conditions that should be taken into account to
grant access to books ?
[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <farzad.panahi at gmail.com>
wrote:
> Hi,
>
> I am very new to Keycloak. I have a RESTful API implemented with json:api
> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>
> I just want to ask the Keycloak community for best practices when it comes
> to securing RESTful APIs.
>
> My endpoints will be something like:
> GET /api/books --> return all books the user has access for
> GET /api/books/123 --> return book with id = 123
>
> My challenge now is to figure out how to define resources in Keycloak.
> Should I add all my books as resources to Keycloak? And then define the
> permission between each user and resource?
>
> What would be the best practice to implement "GET /api/books" to return
> only the books the logged in user has access to? Should I query the
> Keycloak API to get all the resources the logged in user has access to, in
> the backend?
>
> Thanks
>
> Farzad
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list