[keycloak-user] Adding an attribute "context" to org.keycloak.representations.idm.authorization.Permission
Jean-François HEROUARD
jfherouard.almerys at gmail.com
Wed Sep 13 05:01:37 EDT 2017
Hi,
I'm quite new to keycloak and not sure if it is a keycloak-user or
keycloak-dev question, please route to the right place if somebody knows.
Is is about the authz part of Keycloak.
Our security policy includes a concept of "context" for a permission scope.
It is a String that should be evaluated by the resource owner application,
it can be a time restriction, or a rule applying on a business bean (eg
invoice.amount < 1000), or some other global situation (eg env.emergency ==
true). Current implementation uses a SpringEL expression to evaluate the
permission context. It allows to modelize quite complex security policies
using few rules. Somewhat in an ABAC way, but Keycloak is only responsible
to distribute user permission with allowed resource and scope, resource
owner is responsible to evaluate the context of the scope to allow the user
to do an action.
I have a Keycloak server plugin that adds a PolicyProviderFactory and
PolicyProvider, and stores the context for the scopes.
I have an extended keycloak-spring-security-adapter which can evaluate
SpringEL contexts when SpringSecurity evaluates permissions.
The problem is how the context string can be sent from my policy plugin to
the keycloak authz client ? Without modifying too much Keycloak code, the
Permission class is used many differents places, but currently i see no
other way. Any ideas ?
Thanks.
More information about the keycloak-user
mailing list