[keycloak-user] Securing RESTful API Best Practices
Pedro Igor Silva
psilva at redhat.com
Fri May 17 14:45:34 EDT 2019
Sorry, but is still not clear to me how a "user has access to a subset of
B" is this access based on roles, groups or any other information that you
gather from the context ? I'm wondering if this is not a business rule
instead ....
On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <farzad.panahi at gmail.com>
wrote:
> Hi Pedro,
>
> The user is not the book owner. You can think about it this way that if B
> is the set of all books then each user has access to a subset of B such
> that these subsets are not mutually exclusive and do overlap.
>
> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <psilva at redhat.com>
> wrote:
>
>> Hi Farzad,
>>
>> How do you check if a user has access to a book ? Is the user the book
>> owner or you have more conditions that should be taken into account to
>> grant access to books ?
>>
>> [1]
>> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
>>
>>
>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <farzad.panahi at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I am very new to Keycloak. I have a RESTful API implemented with json:api
>>> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>>>
>>> I just want to ask the Keycloak community for best practices when it
>>> comes
>>> to securing RESTful APIs.
>>>
>>> My endpoints will be something like:
>>> GET /api/books --> return all books the user has access for
>>> GET /api/books/123 --> return book with id = 123
>>>
>>> My challenge now is to figure out how to define resources in Keycloak.
>>> Should I add all my books as resources to Keycloak? And then define the
>>> permission between each user and resource?
>>>
>>> What would be the best practice to implement "GET /api/books" to return
>>> only the books the logged in user has access to? Should I query the
>>> Keycloak API to get all the resources the logged in user has access to,
>>> in
>>> the backend?
>>>
>>> Thanks
>>>
>>> Farzad
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
More information about the keycloak-user
mailing list