Use Keycloak to filter HTTP request methods for certain users

Hello everyone,

because with OntoDocker’s API key one can execute any HTTP request methods!
One can create, upload or delete data freely. That would be dangerous.

I would like to know if there is a way to prevent certain users from executing certain HTTP request methods like: POST, PUT, and DELETE? (i.e., only GET is allowed)
Would it be possible to do this directly in Keycloak… or some other way?

At the moment, I can only think of a workaround that does not provide the API key (e.g. https://ontodocker.material-digital.de/ does not show the API key).

Best regards,

Ya-Fan

Hello Ya-Fan,

This feature is not activated in the current version of the ontodocker.

One could activate the line https://git.material-digital.de/apps/ontodocker/-/blob/master/flask_app/app/auth.py#L111 and add the user in Keycloak to the corresponding role that is defined in current_app.config['KEYCLOAK_REQUIRED_ROLE'] and this allows user to access the app completely or not at all.

Best regards,
Jannis Grundmann

Thank you so much @jannis.grundmann for the quick reply.

That’s good to hear this feature ( @require_role()) already exist.
Is this feature applies also to the different request methods in
https://git.material-digital.de/apps/ontodocker/-/blob/master/flask_app/app/api.py?
So in this way we could apply the decorator @require_role() to restrict certain users for certain request modes?

I also found a document about enabling policy enforcement in Keycloak.
https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_filter
But it seems that OntoDocker did not use the keycloak.json file when connecting to Keycloak.

I have not tested the above two solutions yet. So I am not sure if they work or not.

Best regards,

Ya-Fan

Hi Ya-Fan,
As far as I know the decorators are only applicable for a whole function. Maybe the request methods could be split into multiple function, where the decorator is used.

I don’t know enough about the policy enforcement in keycloak to say if this is feasible.

Best regards,
Jannis