Adding a providerAttrs field to Permission, to allow policy provider, to amend tested policy.
In my use cases I have rules with a dynamic context to be checked by business application. Keycloak tells to this application: yes access is allowed if a supplementary condition is also true. A simple case is "this user does have the access and pay scopes for the invoice resource" if "invoice.amount < 10000". I use SpringEL expressions to check dynamic context.
This is the smallest PR I found to fit my needs (without having to rebase all the time). I have not included a policy provider using this field, nor patch existing ones. So testing without that is quite difficult and testsuite is quite hard to make it working well.
This field could be used for other purposes : include which provider has evaluated permission (so business application can trace this when allowing sensitive access), or some specific context (emergency access was active), a signed timestamp, an external reference to the policy version and documentation allowing access...