[keycloak-user] Keycloak authorization based on business attributes

Nikola Malenic nikola.malenic at netsetglobal.rs
Tue Jul 10 08:49:28 EDT 2018


Here is how my application should work: 

Users can use some functionalities of my application if they have enough
chips (token) which they can buy from another application, or they can be
granted to them upon some event, whatever. 
Users have an attribute associated with them called 'chip', which represents
some number. This information should be represented as a claim, probably. 

I want Keycloak to do this authorization for me - to check whether user can
use the functionality or not. I've come across JavaScript-based policies.
It's seems they are able to operate on informations in tokens - like user
email etc, but this is not my case where token can contain obsolete
information, i.e. when token was generated user had enough chips but since
then he spent them. 

Maybe token should be refreshed upon spending chips, but in that case, would
it be updated with current informations bound to user? Or maybe
authorization service can somehow access database during evaluation of a
policy? Could this work or are there any elegant solutions to this use case?

 



More information about the keycloak-user mailing list