[keycloak-dev] Interactive claims gathering flow

Pedro Igor Silva psilva at redhat.com
Wed Nov 28 06:20:28 EST 2018 

Hi Ainga,

Nice to see such interest from your part.

As you know, we don't support this specific part of UMA specs. The reason
is that we did not have much demand from the community until now.

However, to overcome the lack of claims gathering in our implementation, to
provide a solution that could help non-UMA use cases,  and in order to
still allow permissions to be evaluated based on arbitrary claims, we allow
resource servers to push claims to Keycloak so policies can use these
claims to make their decisions.

I do believe that your proposal would be a great addition to Keycloak,
where these claims could be "gathered" more dynamically based on some
user-defined flow, all that managed by Keycloak. I think it is also a step
forward to step-up authentication and authorization ...

I think the most challenging part of this capability is how we configure
the flow in Keycloak, what we would provide OOTB (e.g.: ask 2-fator,
questionnaire, etc) and how to extend Keycloak to support custom flows.
Another important aspect is related to the PCT and how to manage it
properly, and securely.

So, how to get started ... I would suggest you to start implementing
something based on your requirements and use case. I can help you during
this process. Once we define this initial scope and impl we can start
discussing how to make the solution generic/flexible enough to address more
requirements.

FYI, we have this JIRA [1]. Please, put there your requirements and use
case and let's start a discussion around this.

[1] https://issues.jboss.org/browse/KEYCLOAK-6868

Thanks.
Pedro Igor

On Wed, Nov 28, 2018 at 7:31 AM Aingaran Pillai <apillai at zaizi.com> wrote:

> Hi,
>
> We are looking at adding support for UMA2 interactive claims gathering flow
> to Keycloak (which I assume is currently not in the supported). We are a
> small consultancy that have implemented keycloak extensively but never
> extended it. Is this an area we can contribute developer time with some
> mentoring from the community? If so where would we get started?
>
> Regards
> Ainga
>
> --
>
> This message should be regarded as confidential. If you have received this
> email in error please notify the sender and destroy it immediately.
> Statements of intent shall only become binding when confirmed in hard copy
> by an authorised signatory.
>
>
> Zaizi Ltd is registered in England and Wales
> with the registration number 6440931. The Registered Office is Kings
> House,
> 174 Hammersmith Road, London W6 7JP.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list