I’m working on reworking our APIs to work better with the Oathkeeper / Zero Trust model. The biggest pain point for me so far has been figuring out how to allow filtering based on access.
For example, taking an example from the Keto docs, let’s use blog posts. I want to restrict access based on resource definitions like blogpost:1, blogpost:2, blogpost:3, and use policies like blogpost:*.
That’s great, but what if I want to only allow users to see a specific subset of these? From an access control perspective, that’s easy: just add each individual post ID / a pattern to the user’s policy / role.
From a UI perspective, I’m not sure how to accomplish this. What would the endpoint to request access to the subset of resources look like? I wouldn’t think the frontend should just try to access every single blog post and test each individually. I’d want to hide posts that the user does not have access to.
Based on Keto’s available APIs, the best thing I could come up with is GET /blogposts/group, using the group in the URL to have Oathkeeper use in the required resource like blogpost:{group}:*. This would mean I’d have to store a list of groups for each blog post in our database and filter queries based on that list.
That makes it a little better in a way, but it still doesn’t allow me to simply list all blog posts a user has access to. Maybe the user has access to several of these custom-made “blog post access groups”.
Would I have to have an API that checks the Keto Allowed API for each unique group?
What is the best way to solve something like this?