[keycloak-dev] Feedback on authz services

Stian Thorgersen sthorger at redhat.com
Tue Jul 19 04:02:48 EDT 2016


Things we could add:
----------------------------

* Add policy enforcement support to Keycloak Proxy

* Node.js adapter


Comments:
---------------

* Docs - added a few comments (
https://www.gitbook.com/book/keycloak/authorization-services-guide/discussions
)

* JS Policy - I found it hard to figure out how to write these, especially
since the docs are showing Java interfaces

* Attribute based policy - We don't seem to have a simple attribute based
policy, should we not have this?

* Default policy (only from realm) - This default makes no sense. I'd
suggest removing or replacing with something that's more obvious like
"require user to have an email set"

* Time policy - what about date/time ranges (Mon-Fri, 9am to 17pm, 18-20th
June, etc..)

* Evaluate in console - this is a bit awkward to use. I propose we add a
"view example token" option to clients that can be used to show how a token
would look like for a specific user. This would be useful when figuring out
protocol mappers, etc.. Then we could piggy back on this feature in the
evaluation so "real" values from a token could be used when testing
policies rather than having to manually add all values. This is especially
relevant to abac based policies.

* Role policy - can only select realm level roles. What about client roles?

* Scope - is scope not already a very overused term? Could we call this
actions, operations or something else?

* Usability - it's easier to find policies and resources on the tabs than
it is when creating a permission. Maybe we could add a modal panel that
helps to find resources and policies?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160719/0e0ce8a3/attachment.html 


More information about the keycloak-dev mailing list