Keycloak Authorization Services, guarding resource by method

I’m trying to use Keycloak’s authorization services to guard a resource by HTTP method. For a single resource, say /album/{id} from the photoz quickstart, is it possible to define something like: for GETs the user needs the album:view scope, and for DELETEs, the user needs the album:delete scope?

I understand that there’s some provision for http-method-as-scope, I could include that, but then I’d need to create 2 resources, one something like GET /album/{id}, which watches for GET and album:view, and another one for DELETE /album/{id}, which watches for DELETE and album:delete. With this, the sharing experience for the end user will be awkward, since the end user has to know to share the GET or DELETE resource

It’s possible to configure policy-enforcer on the app side, but then I won’t be able to dynamically update the enforcer logic from Keycloak.

Hello @ackerleytng,

Were you able to find a solution?
I am trying to integrate Angular with Spring boot rest api, but stuck @ Keycloak authorization.

Any guidance is appreciated.


Hi @rejimohamed,

Eventually we didn’t use Keycloak’s authorization services. That was about half a year ago though, so things might have changed since then!


Ok Thank you for your feedback…