[keycloak-user] Does Keycloak compliant with XACML 2.0 or 3.0 standard?

Pedro Igor Silva psilva at redhat.com
Thu Jul 14 14:21:43 EDT 2016 

Hi Alexander,

    Thanks for asking this. Quick answer is: Not yet. Near term, you can expect support for XACML policies but I'm not sure about the whole protocol itself. Our services are really based on OAuth2, OpenID Connect and UMA [1]. Where the latter plays an important role. 

    Like Stian said, Keycloak Authorization Services is not trying to answer XACML in any way. On the contrary, we have plans to support XACML in the future. Specially XACML policies, where you would be able to import them and have them managed by Keycloak.

    Aggregated policies are just one of the different types of policies we provide. They are not really related with XACML. In fact, they give you a lot of flexibility when writing more complex policies and favor reuse.

    Some of the XACML features that you mentioned can also be achieve with Keycloak. For instance, aggregated policies can help you to combine different policies and manage their results. Delegation and Obligation/Claim Gathering would be possible as soon as we finish our UMA implementation. You can define different decisions strategies for permissions or aggregated policies, which are similar to XACML combining algorithms.

    However, authorization requests and decisions are always associated with a token. Where decisions are made based on the user and the client represented by this token. Differently than XACML, you can not send authorization requests for different subjects (multiple decision profile ?) but you can ask for different resources/scopes.

[1] https://docs.kantarainitiative.org/uma/rec-uma-core.html

Regards.
Pedro Igor     

----- Original Message -----
> From: "Stian Thorgersen" <sthorger at redhat.com>
> To: "Alexander Zagniotov" <azagniotov at gmail.com>, "Pedro Igor Silva" <psilva at redhat.com>
> Cc: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Thursday, July 14, 2016 4:30:47 AM
> Subject: Re: [keycloak-user] Does Keycloak compliant with XACML 2.0 or 3.0 standard?
> 
> We're not supporting XACML 2.0 or 3.0. I haven't looked at XACML 3 yet
> myself, but it sounds like it is a significant improvement and it would be
> worth considering adding a XACML 3 policy.
> 
> Aggregated policies are a natural addition to Keycloak and it's not
> directly an answer to XACML rather an alternative approach.
> 
> Pedro can probably elaborate a bit more on this though.
> 
> On 13 July 2016 at 00:40, Alexander Zagniotov <azagniotov at gmail.com> wrote:
> 
> > Hello All,
> >
> > As per subject.
> >
> > I am also interested to know if Keycloak supports new features provided by
> > XACML 3.0:
> > Multiple Decision Profile, Policy combination algorithms,  Delegation, etc.
> >
> > That being said, is aggregated policies feature is Keycloak's answer to
> > some of the XACML 3.0 new features?
> >
> >
> > Thanks
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>

More information about the keycloak-user mailing list