Home > Net >  Keycloak resource ownership - /{userid}/getEmail should only works if requester is {userid}
Keycloak resource ownership - /{userid}/getEmail should only works if requester is {userid}

Time:07-08

I want to create new policy on Keycloak for /{userid}/getEmail endpoint. It must be only allowed if the requester user try to access it's own email. Otherwise it should be return not authorized.

CodePudding user response:

Keycloak has some built-in policies but won't meet your demands but you can create your own policy types to support your specific requirement. Keycloak provides a SPI (Service Provider Interface) that you can use to plug in your own policy provider implementations.

Follow doc: https://www.keycloak.org/docs/latest/server_development/#_providers

Suggestion: if end-point

/{userid}/getEmail

only response if requester is requesting it's own email. Change the rest api path to (similar)

/current/getEmail

and then parse and validate the token. Return the parsed token's user email address.

  • Related