Re: [keycloak-user] Multi attribute authorization check

How about using different clients for different companies? You can control the scopes the clients may ask for. Best regards, Sebastian Mit freundlichen Grüßen / Best regards Dr.-Ing. Sebastian Schuster Engineering and Support (INST/ESY1) Bosch Software Innovations GmbH | Schöneberger Ufer 89-91 | 10785 Berlin | GERMANY | www.bosch-si.com Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster(a)bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn -----Original Message----- From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Nathan Hoult Sent: Donnerstag, 14. September 2017 19:51 To: keycloak-user(a)lists.jboss.org Subject: [keycloak-user] Multi attribute authorization check I have a use case where I need to check if a (user)+(company) is authorized for a client resource. Example: user + companyA = resourceA granted user + companyB = resourceA denied The user may have multiple browser sessions logged into the same client so I can't just set a KC user attribute "company=companyA". The service will know, based on cookie or something, what the company ID is and can pass that information to KC which can then return if that resource is authorized. I tried: 1) Scope per company: I got close but it seemed to be the wrong use of scope. I ran into some issues but if this was the way to do it I can look at it again. 2) Realm per company: then the user would have multiple accounts, clients would have to trust multiple Realms, added/removing companies would require a Realm setup, and any clients resources changes would require an update in each Realm. There is also the problem of a resource being controlled by multiple authorization servers seems wrong ( https://github.com/pingidentity/mod_auth_openidc/issues/199). I have thought about a hybrid approach but didn't think it was the right way to do it even if it worked: 1 client realm with all users and clients, that realm trusts multiple per company reals, then a user logs into a company realm that the client converts to the client realm but puts in the token which realm the user came from. I could write my own service, let the applications deal with their own resource permissions, or make KC plugin that does what I want, but if KC can't do it by default does anyone know of another AuthZ implementation that could? I could be thinking about the problem all wrong to begin with so any input is appreciated. Thanks, - Nathan _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user