Create application menu with permission

Hi to all.
I have a menu with a lot multi-level entries. For instance:


    • new customer order
    • delete customer order
    • new supplier order
    • delete supplier order

Each menu entry has a unique code for identification.

I would show to the user only the voices he has access.
If the role is “customer service” for example, I must read the CUSTOMER submenu and its sons, no SUPPLIER submenu.

My idea is to create a resource for each menu entry (in this example they are 7, in my app they are about 50), maybe set resource_type = ‘menuentry’, and to give permission to different roles (via policies).

When an user ask for it’s menu, I need to check permissions to the records.

Does exists a smart way to do this?

Now, I’am searching for parent entry and recursively:

 if ( user.hasPermission(parent_entry) ) then
    put parent_entry in the menu
    check for parent_entry's children
   skip this entry and all the childrens

In the worst case, in this way I call che permission check on Keycloak N times for each menu’s creation request (each times an user refresh or leave a web pages with menu inside).

You should take a look at the urn:ietf:params:oauth:grant-type:uma-ticket grant type on

If your Authorisation requirements are straightforward then you can use a combination of roles and scopes to protect your resources and show/hide items in your application’s menu.

See: Angular, OAuth 2.0 and Keycloak

However, if your Authorisation requirements are more sophisticated then you might want to take advantage of Keycloak’s support for Requesting Party Tokens.

Thank you for the hint. I’ve tryed the API request and it can fit my necessity.

It would be fantastic if I could request the parameter by resource type (for example type=menu VS type=webservice).
For now, i’ll add a scope to my menu-resources and query for that scope to filter only the resources with type=menu.

Thank you Robinyo.

I haven’t specified that I use java.

I wrote the client in bash (using curl) and it works.

Does exists a client in Java that do this api request?

PS : for those that want to try, this is my bash function

function login_token_endpoint {
read -p "Access Token : " -r
read -p "Resource Name : " -r
response=$(curl -X POST http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
    --insecure -H "Authorization: Bearer ${access_token}" \
    --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
    --data "audience=${resource_server_client_id}" \
    --data "response_include_resource_name=true" \
    --data "response_mode=permissions"
echo "Response:"
jq --color-output . <<< $response