Today I have a single public client used by the web GUI. When end users create resources via the GUI, the backend associates the token’s sub to the resources so that I know who owns the resources. I don’t use scope- or resource-based permissions.
Now let’s say end user Sally wants to access her resources via the API. My understanding is that a new (bearer only?) client should be created for Sally specifically for this case.
How should I indicate to my resource server that this new client has rights to Sally’s resources?
I see the following options, which do you recommend?
- Start using Keycloak’s resource-based permissions and policies This seems like a lot of work but probably provides the most flexibility. My resource server is PHP and there are no client adapters, meaning I have to code all the API REST calls myself
- Create a Keycloak group (or role?) for each logical resource owner and place Sally and the new client into that group. Modify the backend to start using these new groups.
- Just hack the backend so that I retrieve Sally’s resources when the new client requests them.
Have I missed anything? Thanks in advance for your feedback!
P.S. I foresee a future where my application will need to be “multi-user” in the sense that a company will contract my service and require multiple users. Today this doesn’t work.