[keycloak-dev] Permission and Obligation
Pedro Igor Silva
psilva at redhat.com
Thu Oct 26 16:08:00 EDT 2017
Hi,
This is about https://issues.jboss.org/browse/KEYCLOAK-5728.
The idea is allow policies to push information to a policy enforcer (PEP)
in order to enrich the final decision if a resource can be accessed or not.
In XACML there is a well known concept called Obligation, which can be used
to pass information to a policy enforcer in order to take some action or
verify something before granting or denying access to a resource.
Suppose you have a JS policy and want to push obligations when evaluating a
permission:
if (someCondition) {
var permission = $evaluation.getPermission();
permission.addObligation('transfer.limit', '200');
}
On the resource server side, you will be able to obtain *transfer.limit*
and check whether a request satisfy the obligation.
Any comments ?
Regards.
Pedro Igor
More information about the keycloak-dev
mailing list