[keycloak-user] Keycloak authorization based on business attributes
Pedro Igor Silva
psilva at redhat.com
Tue Jul 10 10:13:12 EDT 2018
Maybe this can help you
https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_claim_information_point.
It is about pushing additional claims and use these claims to evaluate
permissions.
On Tue, Jul 10, 2018 at 9:49 AM, Nikola Malenic <
nikola.malenic at netsetglobal.rs> wrote:
> Here is how my application should work:
>
> Users can use some functionalities of my application if they have enough
> chips (token) which they can buy from another application, or they can be
> granted to them upon some event, whatever.
> Users have an attribute associated with them called 'chip', which
> represents
> some number. This information should be represented as a claim, probably.
>
> I want Keycloak to do this authorization for me - to check whether user can
> use the functionality or not. I've come across JavaScript-based policies.
> It's seems they are able to operate on informations in tokens - like user
> email etc, but this is not my case where token can contain obsolete
> information, i.e. when token was generated user had enough chips but since
> then he spent them.
>
> Maybe token should be refreshed upon spending chips, but in that case,
> would
> it be updated with current informations bound to user? Or maybe
> authorization service can somehow access database during evaluation of a
> policy? Could this work or are there any elegant solutions to this use
> case?
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list