[keycloak-dev] Pushing Claims from Policy Enforcer

Pedro Igor Silva psilva at redhat.com
Fri Apr 6 07:29:39 EDT 2018


Actually, that is being added as part of the work I'm doing. In fact, I
have this part done already. Now I'm trying to find the best approach to
enable this on the resource server side. Thus the reason for this thread as
well gather feedback from you.

On Fri, Apr 6, 2018 at 1:41 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Sounds like a nice addition to me. I pressume the RPT endpoint already has
> support for the server-side part?
>
> On 5 April 2018 at 16:41, Pedro Igor Silva <psilva at redhat.com> wrote:
>
>> Hi,
>>
>> I'm currently working on https://issues.jboss.org/browse/KEYCLOAK-4903.
>>
>> This is all about allowing applications to push arbitrary claims to
>> Keycloak prior to evaluating permissions on the server. A simple example
>> to
>> illustrate the idea: a request arrives you extract what you want from
>> there
>> (parameters, headers, etc) and "push" the information from the request as
>> claims in order to evaluate your permissions.
>>
>> There are endless possibilities on what you can push and how.
>>
>> >From a design perspective, I was thinking about providing a SPI on the
>> adapter side (as simple as using ServiceLoader) to load built-in and
>> user-defined "claim information points". Examples of built-in
>> implementations would be:
>>
>> * Extract parameters
>> * Extract headers
>> * Extract path parameters
>> * Extract cookies
>> * Invoke an external "policy information point"
>>
>> What do you think ?
>>
>> Regards.
>> Pedro Igor
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>


More information about the keycloak-dev mailing list