I want to create new policy on Keycloak for /{userid}/getEmail endpoint. It must be only allowed if the requester user try to access it's own email. Otherwise it should be return not authorized.
CodePudding user response:
Keycloak has some built-in policies but won't meet your demands but you can create your own policy types to support your specific requirement. Keycloak provides a SPI (Service Provider Interface) that you can use to plug in your own policy provider implementations.
Follow doc: https://www.keycloak.org/docs/latest/server_development/#_providers
Suggestion: if end-point
/{userid}/getEmail
only response if requester is requesting it's own email. Change the rest api path to (similar)
/current/getEmail
and then parse and validate the token. Return the parsed token's user email address.