[keycloak-user] Securing RESTful API Best Practices

Tue May 21 13:59:47 EDT 2019

Any hint or example project to look at would really help to put me in the
right direction.

Should I post this question with a better and more specific title with more
elaborate body to present the question better?

On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <farzad.panahi at gmail.com>
wrote:

> This is exactly where I want to use Keycloak to set this business
> rule/mapping. Basically I need to associate each user with a subset of B
> (books) to which the user has access to. This association is not based on
> roles or groups. It is based on individual users.
> That's why I was thinking that the only way I can think of doing this to
> add every individual book as a resource in Keycloak and then I have to
> create a permission for each of them to grant access to any individual user.
> It would help if Keycloak had a concept like a resource group I guess.
> Then I could put all those resources in a resource group and grant access
> to that resource group for an individual user.
> Then in order to see which resources each user has access to, I need to
> query Keycloak somehow (I need to figure out how exactly) and get the
> resources that user has access to, and return only those resources for that
> user.
>
> That's what I can think of right now. I am just wondering if there is a
> better way to do this sort of resource oriented access control where each
> user has access to specific set of resources only.
>
>
>
> On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Sorry, but is still not clear to me how a "user has access to a subset of
>> B" is this access based on roles, groups or any other information that you
>> gather from the context ? I'm wondering if this is not a business rule
>> instead ....
>>
>> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <farzad.panahi at gmail.com>
>> wrote:
>>
>>> Hi Pedro,
>>>
>>> The user is not the book owner. You can think about it this way that if
>>> B is the set of all books then each user has access to a subset of B such
>>> that these subsets are not mutually exclusive and do overlap.
>>>
>>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <psilva at redhat.com>
>>> wrote:
>>>
>>>> Hi Farzad,
>>>>
>>>> How do you check if a user has access to a book ? Is the user the book
>>>> owner or you have more conditions that should be taken into account to
>>>> grant access to books ?
>>>>
>>>> [1]
>>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
>>>>
>>>>
>>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <farzad.panahi at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I am very new to Keycloak. I have a RESTful API implemented with
>>>>> json:api
>>>>> <https://jsonapi.org/> spec which I want to secure using Keycloak.
>>>>>
>>>>> I just want to ask the Keycloak community for best practices when it
>>>>> comes
>>>>> to securing RESTful APIs.
>>>>>
>>>>> My endpoints will be something like:
>>>>> GET /api/books --> return all books the user has access for
>>>>> GET /api/books/123 --> return book with id = 123
>>>>>
>>>>> My challenge now is to figure out how to define resources in Keycloak.
>>>>> Should I add all my books as resources to Keycloak? And then define the
>>>>> permission between each user and resource?
>>>>>
>>>>> What would be the best practice to implement "GET /api/books" to return
>>>>> only the books the logged in user has access to? Should I query the
>>>>> Keycloak API to get all the resources the logged in user has access
>>>>> to, in
>>>>> the backend?
>>>>>
>>>>> Thanks
>>>>>
>>>>> Farzad
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>