I am using kong as my api-gateway and using a plugin kong-oidc for authentication using keycloak. Authentication process is smooth and running fine. Now I want to add authorization for the requests made to kong for different microservices. I am planning to modify the kong-oidc plugin. I have created a confidential client, role-based policies and resource based permissions along with some users assigned with different roles in keycloak. I want to authorize a user if he has a permission to access a specific resource. I can do that by following request
http://keycloak-url/auth/realms/$realm/protocol/openid-connect/token \
-H "Authorization: Bearer "$access_token \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
--data "audience=auth-client" \
--data "permission=af-resource" \
--data "response_mode=decision"
I am concerned with permission=af-resource. during the request I can not know the name of the resource but the requested url. Do I have to request to keycloak again to give me the resource-id for the requested-url and then send the above mentioned request for decision or there is another way? Or somehow i can use the information from token-introspection endpoint.
