[keycloak-dev] Pushing Claims from Policy Enforcer

Pedro Igor Silva psilva at redhat.com
Thu Apr 5 10:41:50 EDT 2018


Hi,

I'm currently working on https://issues.jboss.org/browse/KEYCLOAK-4903.

This is all about allowing applications to push arbitrary claims to
Keycloak prior to evaluating permissions on the server. A simple example to
illustrate the idea: a request arrives you extract what you want from there
(parameters, headers, etc) and "push" the information from the request as
claims in order to evaluate your permissions.

There are endless possibilities on what you can push and how.

>From a design perspective, I was thinking about providing a SPI on the
adapter side (as simple as using ServiceLoader) to load built-in and
user-defined "claim information points". Examples of built-in
implementations would be:

* Extract parameters
* Extract headers
* Extract path parameters
* Extract cookies
* Invoke an external "policy information point"

What do you think ?

Regards.
Pedro Igor


More information about the keycloak-dev mailing list