[keycloak-user] Additional attributes for an authorization request

Scott Elliott scottpelliott at gmail.com
Fri Feb 3 15:26:05 EST 2017


The example I've been given is evaluating whether or not a request has
permission to make a change to a value by a particular amount.  Sounds like
an application function, but I don't necessarily want to have to change the
application whenever some policy decision needs to be made or changed (like
for now, it's based on one value, but in the future, it could be several
values).  Ideally, I guess, the ability to pass additional data (say, JSON)
with the request that the Evaluation API could access, so it would be up to
the caller and policy to decide what's needed to grant the request.

OOTB, I'm not sure.  It confused me for a while why the URI was in the
resource configuration, when you couldn't pass a URI for Authorization, but
I've since figured out that the URI is used in the OIDC adapter to select
the resource, not in the server.  That's one of the items that was expected
to be available in the Evaluation API.  I don't know if it really makes
sense or not, assuming a general purpose resource mechanism.

On Fri, Feb 3, 2017 at 12:26 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi Scott,
>
> You can't pass additional attributes along with an authorization request.
> However, that is something we want to support on future versions.
>
> Right now, the information you get is basically what is in an access
> token. So whatever you push as a claim (e.g.: using mappers) it will be
> available to your policies.
>
> That is an important addition to our API in order to push more context to
> policies, as you are requesting.
>
> One thing to keep in mind is that we can't blindly trust authorization
> requests from clients are they can be easily manipulated. What type of
> client are you using ?
>
> Another question, what are you missing in the Evaluation API ? Is there
> anything we can provide OOTB ?
>
> Regards.
> Pedro Igor
>
> On Thu, Feb 2, 2017 at 2:18 PM, Scott Elliott <scottpelliott at gmail.com>
> wrote:
>
> Would therebe any way to pass additional attributes (say, something from a
> REST API call's headers or body) to an authorization request, and access it
> in a Javascript or rules based policy? I see that what is available in the
> Evaluation API currently is pretty limited.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>


More information about the keycloak-user mailing list