Hi Alexander,
Thanks for asking this. Quick answer is: Not yet. Near term, you can expect support
for XACML policies but I'm not sure about the whole protocol itself. Our services are
really based on OAuth2, OpenID Connect and UMA [1]. Where the latter plays an important
role.
Like Stian said, Keycloak Authorization Services is not trying to answer XACML in any
way. On the contrary, we have plans to support XACML in the future. Specially XACML
policies, where you would be able to import them and have them managed by Keycloak.
Aggregated policies are just one of the different types of policies we provide. They
are not really related with XACML. In fact, they give you a lot of flexibility when
writing more complex policies and favor reuse.
Some of the XACML features that you mentioned can also be achieve with Keycloak. For
instance, aggregated policies can help you to combine different policies and manage their
results. Delegation and Obligation/Claim Gathering would be possible as soon as we finish
our UMA implementation. You can define different decisions strategies for permissions or
aggregated policies, which are similar to XACML combining algorithms.
However, authorization requests and decisions are always associated with a token.
Where decisions are made based on the user and the client represented by this token.
Differently than XACML, you can not send authorization requests for different subjects
(multiple decision profile ?) but you can ask for different resources/scopes.
[1]
https://docs.kantarainitiative.org/uma/rec-uma-core.html
Regards.
Pedro Igor
----- Original Message -----
From: "Stian Thorgersen" <sthorger(a)redhat.com>
To: "Alexander Zagniotov" <azagniotov(a)gmail.com>, "Pedro Igor
Silva" <psilva(a)redhat.com>
Cc: "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Thursday, July 14, 2016 4:30:47 AM
Subject: Re: [keycloak-user] Does Keycloak compliant with XACML 2.0 or 3.0 standard?
We're not supporting XACML 2.0 or 3.0. I haven't looked at XACML 3 yet
myself, but it sounds like it is a significant improvement and it would be
worth considering adding a XACML 3 policy.
Aggregated policies are a natural addition to Keycloak and it's not
directly an answer to XACML rather an alternative approach.
Pedro can probably elaborate a bit more on this though.
On 13 July 2016 at 00:40, Alexander Zagniotov <azagniotov(a)gmail.com> wrote:
> Hello All,
>
> As per subject.
>
> I am also interested to know if Keycloak supports new features provided by
> XACML 3.0:
> Multiple Decision Profile, Policy combination algorithms, Delegation, etc.
>
> That being said, is aggregated policies feature is Keycloak's answer to
> some of the XACML 3.0 new features?
>
>
> Thanks
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>