Add resource-based authorization

[m-v-k]

Works awesome for Role-based authorization Would be even more awesome to also be able to use it for Resource-based authorization.

From the Keycloak Docs

If the application you are protecting is enabled with Keycloak authorization services and you have defined client credentials in keycloak.json, you can push additional claims to the server and make them available to your policies in order to make decisions. For that, you can define a claims configuration option which expects a function that returns a JSON with the claims you want to push

app.get('/protected/resource', keycloak.enforcer(['resource:view', 'resource:write'], {
         ​claims: function(request) {
           ​return {
             ​"http.uri": ["/protected/resource"],
             ​"user.agent": // get user agent  from request
           ​}
         ​}
       ​}), function (req, res) {
// access granted

This way there is full blown support for the more fine-grained authorizations like ABAC. So for example:

type Article {
    id: ID!
    title: String!
    content: String!
  }

  type Query {
    listArticles: [Article]! @hasPermission(resources: 'Article:view')
  }

  type Mutation {
    publishArticle(title: String!, content: String!): Article! @hasPermission(resources: ['Article:publish','Article:someotherscope'])
  }

[wtrocki]

Amazing idea! Would really love to look into this but because of time constraints, it could be a while. I will leave it open and add it to my backlog. It should be easy to do it considering that Api that we talking about is exposed and available.

If you would like to help and contribute let me know. I can setup some base for you etc.

[slavko-vega]

Hi @wtrocki, we'd like to contribute on this project. The PR is created with implementation for this feature https://github.com/aerogear/keycloak-connect-graphql/pull/119.

[m-v-k]

i see it's merged 👍