Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-5728

Allow policy providers to push permission claims

    XMLWordPrintable

Details

    Description

      Adding a providerAttrs field to Permission, to allow policy provider, to amend tested policy.

      In my use cases I have rules with a dynamic context to be checked by business application. Keycloak tells to this application: yes access is allowed if a supplementary condition is also true. A simple case is "this user does have the access and pay scopes for the invoice resource" if "invoice.amount < 10000". I use SpringEL expressions to check dynamic context.

      This is the smallest PR I found to fit my needs (without having to rebase all the time). I have not included a policy provider using this field, nor patch existing ones. So testing without that is quite difficult and testsuite is quite hard to make it working well.

      This field could be used for other purposes : include which provider has evaluated permission (so business application can trace this when allowing sensitive access), or some specific context (emergency access was active), a signed timestamp, an external reference to the policy version and documentation allowing access...

      Attachments

        Issue Links

          Activity

            People

              psilva@redhat.com Pedro Igor Craveiro
              psilva@redhat.com Pedro Igor Craveiro
              Michal Hajas Michal Hajas
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: