Create application menu with permission

bssdev · April 9, 2020, 3:37pm

Hi to all.
I have a menu with a lot multi-level entries. For instance:

ORDER

CUSTOMER
- new customer order
- delete customer order
SUPPLIER
- new supplier order
- delete supplier order

Each menu entry has a unique code for identification.

I would show to the user only the voices he has access.
If the role is “customer service” for example, I must read the CUSTOMER submenu and its sons, no SUPPLIER submenu.

My idea is to create a resource for each menu entry (in this example they are 7, in my app they are about 50), maybe set resource_type = ‘menuentry’, and to give permission to different roles (via policies).

When an user ask for it’s menu, I need to check permissions to the records.

Does exists a smart way to do this?

Now, I’am searching for parent entry and recursively:

 if ( user.hasPermission(parent_entry) ) then
    put parent_entry in the menu
    check for parent_entry's children
 else
   skip this entry and all the childrens

In the worst case, in this way I call che permission check on Keycloak N times for each menu’s creation request (each times an user refresh or leave a web pages with menu inside).

zonaut · April 9, 2020, 4:06pm

You should take a look at the urn:ietf:params:oauth:grant-type:uma-ticket grant type on https://www.keycloak.org/docs/latest/authorization_services/#_service_authorization_api

Robinyo · April 9, 2020, 8:19pm

If your Authorisation requirements are straightforward then you can use a combination of roles and scopes to protect your resources and show/hide items in your application’s menu.

See: Angular, OAuth 2.0 and Keycloak

However, if your Authorisation requirements are more sophisticated then you might want to take advantage of Keycloak’s support for Requesting Party Tokens.

bssdev · April 10, 2020, 1:22pm

Thank you for the hint. I’ve tryed the API request and it can fit my necessity.

It would be fantastic if I could request the parameter by resource type (for example type=menu VS type=webservice).
For now, i’ll add a scope to my menu-resources and query for that scope to filter only the resources with type=menu.

bssdev · April 10, 2020, 1:32pm

Thank you Robinyo.

I haven’t specified that I use java.

I wrote the client in bash (using curl) and it works.

Does exists a client in Java that do this api request?

PS : for those that want to try, this is my bash function

function login_token_endpoint {
read -p "Access Token : " -r
access_token=$REPLY
read -p "Resource Name : " -r
resource=$REPLY
response=$(curl -X POST http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
    --insecure -H "Authorization: Bearer ${access_token}" \
    --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
    --data "audience=${resource_server_client_id}" \
    --data "response_include_resource_name=true" \
    --data "response_mode=permissions"
     )
echo "Response:"
jq --color-output . <<< $response
}

Topic		Replies	Views
Retrieving resources for a specfic application role with authorization services (UMA) Getting advice authentication , oidc	0	410	May 23, 2023
Keycloak: resource rolebased acccess management issue Getting advice	0	244	January 23, 2023
I want to dynamically draw menus in my application. What is the best way to do this using keycloak ?(Any policies/permissions) Getting advice	0	408	November 13, 2019
Permission for frontend keycloak	0	431	February 11, 2022
Fine grained resource-based authorization Getting advice	1	712	November 29, 2021

Create application menu with permission

Related topics