[keycloak-user] Securing RESTful API Best Practices

Fri May 17 16:21:39 EDT 2019

This is exactly where I want to use Keycloak to set this business
rule/mapping. Basically I need to associate each user with a subset of B
(books) to which the user has access to. This association is not based on
roles or groups. It is based on individual users.
That's why I was thinking that the only way I can think of doing this to
add every individual book as a resource in Keycloak and then I have to
create a permission for each of them to grant access to any individual user.
It would help if Keycloak had a concept like a resource group I guess. Then
I could put all those resources in a resource group and grant access to
that resource group for an individual user.
Then in order to see which resources each user has access to, I need to
query Keycloak somehow (I need to figure out how exactly) and get the
resources that user has access to, and return only those resources for that
user.

That's what I can think of right now. I am just wondering if there is a
better way to do this sort of resource oriented access control where each
user has access to specific set of resources only.

On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Sorry, but is still not clear to me how a "user has access to a subset of
> B" is this access based on roles, groups or any other information that you
> gather from the context ? I'm wondering if this is not a business rule
> instead ....
>
> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <farzad.panahi at gmail.com>
> wrote:
>
>> Hi Pedro,
>>
>> The user is not the book owner. You can think about it this way that if B
>> is the set of all books then each user has access to a subset of B such
>> that these subsets are not mutually exclusive and do overlap.
>>
>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <psilva at redhat.com>
>> wrote:
>>
>>> Hi Farzad,
>>>
>>> How do you check if a user has access to a book ? Is the user the book
>>> owner or you have more conditions that should be taken into account to
>>> grant access to books ?
>>>
>>> [1]
>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
>>>
>>>
>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <farzad.panahi at gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I am very new to Keycloak. I have a RESTful API implemented with
>>>> json:api
>>>> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>>>>
>>>> I just want to ask the Keycloak community for best practices when it
>>>> comes
>>>> to securing RESTful APIs.
>>>>
>>>> My endpoints will be something like:
>>>> GET /api/books --> return all books the user has access for
>>>> GET /api/books/123 --> return book with id = 123
>>>>
>>>> My challenge now is to figure out how to define resources in Keycloak.
>>>> Should I add all my books as resources to Keycloak? And then define the
>>>> permission between each user and resource?
>>>>
>>>> What would be the best practice to implement "GET /api/books" to return
>>>> only the books the logged in user has access to? Should I query the
>>>> Keycloak API to get all the resources the logged in user has access to,
>>>> in
>>>> the backend?
>>>>
>>>> Thanks
>>>>
>>>> Farzad
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>