[keycloak-user] Securing RESTful API Best Practices

Pedro Igor Silva psilva at redhat.com
Tue May 21 14:34:49 EDT 2019 

Hi Farzad,

Sorry for the late reply.

Our authorization model is targeted for enforcing security-related
constraints, not business rules. Maybe you could consider Drools/BRMS.

Some time ago we had a discussion about data filtering and how to fetch
resources based on policy decisions. If you look at our documentation [1]
you'll see that policies can push arbitrary claims back to your application
when granting access to a permission. This capability allows you to send a
specific claim along with the permission that represents some filter that
you can use to query your database.

As a result, you'll have within your token something like:

"permissions": [
    {
      "resource_id": "90ccc6fc-b296-4cd1-881e-089e1ee15957",
      "resource_name": "Book Resource",
      "claims": ["data.filter": ["book.type = 'foo' or book.type = 'bar'"]]
    }
  ]

We do have a "resource group" concept. Resources can have a type and you
can also have a single resource representing a set of one or more "real"
resources.

[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#pushing-arbitrary-claims-to-the-resource-server

On Tue, May 21, 2019 at 3:14 PM Farzad Panahi <farzad.panahi at gmail.com>
wrote:

> Any hint or example project to look at would really help to put me in the
> right direction.
>
> Should I post this question with a better and more specific title with more
> elaborate body to present the question better?
>
> On Fri., May 17, 2019, 1:21 p.m. Farzad Panahi, <farzad.panahi at gmail.com>
> wrote:
>
> > This is exactly where I want to use Keycloak to set this business
> > rule/mapping. Basically I need to associate each user with a subset of B
> > (books) to which the user has access to. This association is not based on
> > roles or groups. It is based on individual users.
> > That's why I was thinking that the only way I can think of doing this to
> > add every individual book as a resource in Keycloak and then I have to
> > create a permission for each of them to grant access to any individual
> user.
> > It would help if Keycloak had a concept like a resource group I guess.
> > Then I could put all those resources in a resource group and grant access
> > to that resource group for an individual user.
> > Then in order to see which resources each user has access to, I need to
> > query Keycloak somehow (I need to figure out how exactly) and get the
> > resources that user has access to, and return only those resources for
> that
> > user.
> >
> > That's what I can think of right now. I am just wondering if there is a
> > better way to do this sort of resource oriented access control where each
> > user has access to specific set of resources only.
> >
> >
> >
> > On Fri, May 17, 2019 at 11:45 AM Pedro Igor Silva <psilva at redhat.com>
> > wrote:
> >
> >> Sorry, but is still not clear to me how a "user has access to a subset
> of
> >> B" is this access based on roles, groups or any other information that
> you
> >> gather from the context ? I'm wondering if this is not a business rule
> >> instead ....
> >>
> >> On Fri, May 17, 2019 at 1:42 PM Farzad Panahi <farzad.panahi at gmail.com>
> >> wrote:
> >>
> >>> Hi Pedro,
> >>>
> >>> The user is not the book owner. You can think about it this way that if
> >>> B is the set of all books then each user has access to a subset of B
> such
> >>> that these subsets are not mutually exclusive and do overlap.
> >>>
> >>> On Fri., May 17, 2019, 6:51 a.m. Pedro Igor Silva, <psilva at redhat.com>
> >>> wrote:
> >>>
> >>>> Hi Farzad,
> >>>>
> >>>> How do you check if a user has access to a book ? Is the user the book
> >>>> owner or you have more conditions that should be taken into account to
> >>>> grant access to books ?
> >>>>
> >>>> [1]
> >>>>
> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples
> >>>>
> >>>>
> >>>> On Thu, May 16, 2019 at 8:42 PM Farzad Panahi <
> farzad.panahi at gmail.com>
> >>>> wrote:
> >>>>
> >>>>> Hi,
> >>>>>
> >>>>> I am very new to Keycloak. I have a RESTful API implemented with
> >>>>> json:api
> >>>>> <https://jsonapi.org/> spec which I want to secure using Keycloak.
> >>>>>
> >>>>> I just want to ask the Keycloak community for best practices when it
> >>>>> comes
> >>>>> to securing RESTful APIs.
> >>>>>
> >>>>> My endpoints will be something like:
> >>>>> GET /api/books --> return all books the user has access for
> >>>>> GET /api/books/123 --> return book with id = 123
> >>>>>
> >>>>> My challenge now is to figure out how to define resources in
> Keycloak.
> >>>>> Should I add all my books as resources to Keycloak? And then define
> the
> >>>>> permission between each user and resource?
> >>>>>
> >>>>> What would be the best practice to implement "GET /api/books" to
> return
> >>>>> only the books the logged in user has access to? Should I query the
> >>>>> Keycloak API to get all the resources the logged in user has access
> >>>>> to, in
> >>>>> the backend?
> >>>>>
> >>>>> Thanks
> >>>>>
> >>>>> Farzad
> >>>>> _______________________________________________
> >>>>> keycloak-user mailing list
> >>>>> keycloak-user at lists.jboss.org
> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>
> >>>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list