I miss something to handle all requirements for my applications. It would be awesome to have a Attribute based Permission. This is how i conceive it :
- In the authorization service a new tab to define a resource type with their attributes like for example, a Car's resource type ( Color, Model, Size ... ) but without value like currently in the resource tab.
- A Attribute fields inside Resource and Scope permissions to add informations of what attribute can be retrieve inside a Resource. Maybe with a positive or negative grant to add or remove only one field.
- As other permissions, this would be available inside a RPT to be process offline by resource server.
It would allow to handle use case like retrieve all users but not their gender for example
I know i can achieve the same result with scopes but it tend to makes scope definition explode as i need to defined a scope for each attribute of a resource type.
Beside that Keycloak is just a awesome product.