7:49 a.m.
Here is how my application should work:
Users can use some functionalities of my application if they have enough
chips (token) which they can buy from another application, or they can be
granted to them upon some event, whatever.
Users have an attribute associated with them called 'chip', which represents
some number. This information should be represented as a claim, probably.
I want Keycloak to do this authorization for me - to check whether user can
use the functionality or not. I've come across JavaScript-based policies.
It's seems they are able to operate on informations in tokens - like user
email etc, but this is not my case where token can contain obsolete
information, i.e. when token was generated user had enough chips but since
then he spent them.
Maybe token should be refreshed upon spending chips, but in that case, would
it be updated with current informations bound to user? Or maybe
authorization service can somehow access database during evaluation of a
policy? Could this work or are there any elegant solutions to this use case?
9:13 a.m.
Maybe this can help you
https://www.keycloak.org/docs/latest/authorization_services/index.html#_e....
It is about pushing additional claims and use these claims to evaluate
permissions.
On Tue, Jul 10, 2018 at 9:49 AM, Nikola Malenic <
nikola.malenic(a)netsetglobal.rs> wrote:
Here is how my application should work:
Users can use some functionalities of my application if they have enough
chips (token) which they can buy from another application, or they can be
granted to them upon some event, whatever.
Users have an attribute associated with them called 'chip', which
represents
some number. This information should be represented as a claim, probably.
I want Keycloak to do this authorization for me - to check whether user can
use the functionality or not. I've come across JavaScript-based policies.
It's seems they are able to operate on informations in tokens - like user
email etc, but this is not my case where token can contain obsolete
information, i.e. when token was generated user had enough chips but since
then he spent them.
Maybe token should be refreshed upon spending chips, but in that case,
would
it be updated with current informations bound to user? Or maybe
authorization service can somehow access database during evaluation of a
policy? Could this work or are there any elegant solutions to this use
case?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2828
days inactive
2828
days old
1 comments
2 participants
participants (2)
-
Nikola Malenic -
Pedro Igor Silva