Hello,
So, what you did was create a new policy provider that can be used to
specify some attribute that must be satisfied and checked by the adapter
when enforcing permissions granted by this policy ?
I guess, we'll need to push this information somehow to the permission.
Maybe we can change the SPI to allow developers to push additional data to
permissions after evaluating and granting a permission.
On Wed, Sep 13, 2017 at 6:01 AM, Jean-François HEROUARD <
jfherouard.almerys(a)gmail.com> wrote:
Hi,
I'm quite new to keycloak and not sure if it is a keycloak-user or
keycloak-dev question, please route to the right place if somebody knows.
Is is about the authz part of Keycloak.
Our security policy includes a concept of "context" for a permission scope.
It is a String that should be evaluated by the resource owner application,
it can be a time restriction, or a rule applying on a business bean (eg
invoice.amount < 1000), or some other global situation (eg env.emergency ==
true). Current implementation uses a SpringEL expression to evaluate the
permission context. It allows to modelize quite complex security policies
using few rules. Somewhat in an ABAC way, but Keycloak is only responsible
to distribute user permission with allowed resource and scope, resource
owner is responsible to evaluate the context of the scope to allow the user
to do an action.
I have a Keycloak server plugin that adds a PolicyProviderFactory and
PolicyProvider, and stores the context for the scopes.
I have an extended keycloak-spring-security-adapter which can evaluate
SpringEL contexts when SpringSecurity evaluates permissions.
The problem is how the context string can be sent from my policy plugin to
the keycloak authz client ? Without modifying too much Keycloak code, the
Permission class is used many differents places, but currently i see no
other way. Any ideas ?
Thanks.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user