[keycloak-user] Adding an attribute "context" to org.keycloak.representations.idm.authorization.Permission

Pedro Igor Silva psilva at redhat.com
Wed Sep 13 08:08:00 EDT 2017 

Hello,

So, what you did was create a new policy provider that can be used to
specify some attribute that must be satisfied and checked by the adapter
when enforcing permissions granted by this policy ?

I guess, we'll need to push this information somehow to the permission.
Maybe we can change the SPI to allow developers to push additional data to
permissions after evaluating and granting a permission.

On Wed, Sep 13, 2017 at 6:01 AM, Jean-François HEROUARD <
jfherouard.almerys at gmail.com> wrote:

> Hi,
>
> I'm quite new to keycloak and not sure if it is a keycloak-user or
> keycloak-dev question, please route to the right place if somebody knows.
> Is is about the authz part of Keycloak.
>
> Our security policy includes a concept of "context" for a permission scope.
> It is a String that should be evaluated by the resource owner application,
> it can be a time restriction, or a rule applying on a business bean (eg
> invoice.amount < 1000), or some other global situation (eg env.emergency ==
> true). Current implementation uses a SpringEL expression to evaluate the
> permission context. It allows to modelize quite complex security policies
> using few rules. Somewhat in an ABAC way, but Keycloak is only responsible
> to distribute user permission with allowed resource and scope, resource
> owner is responsible to evaluate the context of the scope to allow the user
> to do an action.
>
> I have a Keycloak server plugin that adds a PolicyProviderFactory and
> PolicyProvider, and stores the context for the scopes.
>
> I have an extended keycloak-spring-security-adapter which can evaluate
> SpringEL contexts when SpringSecurity evaluates permissions.
>
> The problem is how the context string can be sent from my policy plugin to
> the keycloak authz client ? Without modifying too much Keycloak code, the
> Permission class is used many differents places, but currently i see no
> other way. Any ideas ?
>
> Thanks.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list