Sounds like a nice addition to me. I pressume the RPT endpoint already has
support for the server-side part?
On 5 April 2018 at 16:41, Pedro Igor Silva <psilva(a)redhat.com> wrote:
Hi,
I'm currently working on
https://issues.jboss.org/browse/KEYCLOAK-4903.
This is all about allowing applications to push arbitrary claims to
Keycloak prior to evaluating permissions on the server. A simple example to
illustrate the idea: a request arrives you extract what you want from there
(parameters, headers, etc) and "push" the information from the request as
claims in order to evaluate your permissions.
There are endless possibilities on what you can push and how.
>From a design perspective, I was thinking about providing a SPI on the
adapter side (as simple as using ServiceLoader) to load built-in and
user-defined "claim information points". Examples of built-in
implementations would be:
* Extract parameters
* Extract headers
* Extract path parameters
* Extract cookies
* Invoke an external "policy information point"
What do you think ?
Regards.
Pedro Igor
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev