[keycloak-user] Securing RESTful API Best Practices
Farzad Panahi
farzad.panahi at gmail.com
Fri May 17 12:41:40 EDT 2019
Hi Pedro,
The user is not the book owner. You can think about it this way that if B
is the set of all books then each user has access to a subset of B such
that these subsets are not mutually exclusive and do overlap.
On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <psilva at redhat.com>
wrote:
> Hi Farzad,
>
> How do you check if a user has access to a book ? Is the user the book
> owner or you have more conditions that should be taken into account to
> grant access to books ?
>
> [1]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
>
>
> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <farzad.panahi at gmail.com>
> wrote:
>
>> Hi,
>>
>> I am very new to Keycloak. I have a RESTful API implemented with json:api
>> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>>
>> I just want to ask the Keycloak community for best practices when it comes
>> to securing RESTful APIs.
>>
>> My endpoints will be something like:
>> GET /api/books --> return all books the user has access for
>> GET /api/books/123 --> return book with id = 123
>>
>> My challenge now is to figure out how to define resources in Keycloak.
>> Should I add all my books as resources to Keycloak? And then define the
>> permission between each user and resource?
>>
>> What would be the best practice to implement "GET /api/books" to return
>> only the books the logged in user has access to? Should I query the
>> Keycloak API to get all the resources the logged in user has access to, in
>> the backend?
>>
>> Thanks
>>
>> Farzad
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
More information about the keycloak-user
mailing list