Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-4991

Limiting the number of permissions in a RPT



      Users should be able to define a limit to number of permissions in a RPT. This feature is based on Openshift.io requirements.

      The use case is that clients obtaining RPTs from the server should be able to specify the number of permissions they expect in the token in order to have more control over the RPT size.

      This requirement applies only to RPTs obtained using the Entitlement API, although we could also leverage UMA and Authorization API to support a similar behavior. Changes to UI are not relevant to the first version of this feature as we can support it by allowing clients to send the limit along an entitlement request.

      The limit can be defined in different ways:

      • By providing a positive number (or zero) representing the maximum number of permissions expected in a RPT
      • By providing a mode which can be: FIFO or none. Where FIFO indicates that permissions previously issued (e.g.: when sending a previously issued RPT along with the entitlement request) will be included based on the time they were issued where the first ones will be removed first. None means that no order will be respected.

      Limiting permissions is specially useful when using incremental authorization, although it may be helpful when obtaining all entitlements from the server for a given user. In the latter case, we could provide in the future support for specifying resource priorities in the server and have them evaluated first, instead of evaluating permissions for every single resource on the server.

        Gliffy Diagrams




              • Assignee:
                pcraveiro Pedro Igor
                pcraveiro Pedro Igor
                Michal Hajas
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: