[keycloak-dev] Pushing Claims from Policy Enforcer

Bill Burke bburke at redhat.com
Thu Apr 5 23:49:01 EDT 2018


I dont' understand...Why do you need an plugin SPI for this?  Wouldn't
the developer just call into your api to create the invocation to the
permission endpoint?

On Thu, Apr 5, 2018 at 10:41 AM, Pedro Igor Silva <psilva at redhat.com> wrote:
> Hi,
>
> I'm currently working on https://issues.jboss.org/browse/KEYCLOAK-4903.
>
> This is all about allowing applications to push arbitrary claims to
> Keycloak prior to evaluating permissions on the server. A simple example to
> illustrate the idea: a request arrives you extract what you want from there
> (parameters, headers, etc) and "push" the information from the request as
> claims in order to evaluate your permissions.
>
> There are endless possibilities on what you can push and how.
>
> >From a design perspective, I was thinking about providing a SPI on the
> adapter side (as simple as using ServiceLoader) to load built-in and
> user-defined "claim information points". Examples of built-in
> implementations would be:
>
> * Extract parameters
> * Extract headers
> * Extract path parameters
> * Extract cookies
> * Invoke an external "policy information point"
>
> What do you think ?
>
> Regards.
> Pedro Igor
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



-- 
Bill Burke
Red Hat


More information about the keycloak-dev mailing list