[keycloak-user] (no subject)

Pedro Igor Silva psilva at redhat.com
Tue May 2 07:12:01 EDT 2017


On Mon, May 1, 2017 at 11:31 AM, Sander Geerts <s.geerts at live.nl> wrote:

> Hello,
>
>
> Currently we (as a company) are trying to determine if Keycloak can meet
> our requirements of authorization for our products. The authentication part
> seems obvious and will be enough for what we are trying to do, but we do
> have some questions about the authorization part.
>
>
> In our application a user can create a so called 'Process'. This process
> goes through a workflow-engine, which determines the next status based on
> some business rules and configured steps. What we are trying to achieve
> through Keycloak is the following:
>
> - Is user X (with role R) authorized for action (/resource) Y with scope
> Write? (This looks like a basic question which Keycloak can answer for sure)
>
> - Is user X (with role R) authorized for action (/resource) Y with scope
> Write when the given resource (process) is in status A?
>
>
> In abstract terms we are trying to determine:
>
> Is user [X] with role [R] authorized for resource [Y] with scope [S] when
> the requested resource instance [Y1] has a property [Prop] with value [V]?
>

There is one thing that I think you need and we don't support: Resource
attributes. There is no easy way to use a custom resource attribute in your
policy but only those that are part of the model (type, uri, name, etc). I
remember some one with a similar requirement, and I think we should
consider adding support for custom resource attributes soon.

Another thing we are considering in our roadmap is the possibility to push
additional claims when making an authorization request. That is going to
allow you to push whatever claim you want to the server and have those
claims available to your policies. Currently, the claims you can get from
your policies are basically those available from the access token plus some
others the engine adds to the context such as client address, realm, client
id, user agent, etc).


>
>
> We did some research in the Keycloak documentation, and there is spoken of
> CBAC (Context-Based Access Control) but there are no examples or specific
> documentation to be found.
>
>
> My summarized question(s):
>
> - Is the given use-case above possible with Keycloak?
>
> - If so, how would the status of a process be defined? Is this a resource?
> Or should/can we use the CBAC engine?


> - If we have to implement a custom 'Authorization' provider for this,
> could you give a short example?
>

You could have your own authorization provider for this, from there you
could access the repository with your processes data. We don't have any
specific example for that, but you can take a look on how we implement the
different providers we support OOTB. The reason why we don't have any doc
or examples for this is that the SPI is an area that we need to review
before making it public.


>
>
> We have the option to possibly buy Keycloak support, but we first want to
> verify if it is even an option for our use-cases.
>
>
> Kind regards,
>
>
> Sander
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list