Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-5728

Allow policy providers to push permission claims

    Details

      Description

      Adding a providerAttrs field to Permission, to allow policy provider, to amend tested policy.

      In my use cases I have rules with a dynamic context to be checked by business application. Keycloak tells to this application: yes access is allowed if a supplementary condition is also true. A simple case is "this user does have the access and pay scopes for the invoice resource" if "invoice.amount < 10000". I use SpringEL expressions to check dynamic context.

      This is the smallest PR I found to fit my needs (without having to rebase all the time). I have not included a policy provider using this field, nor patch existing ones. So testing without that is quite difficult and testsuite is quite hard to make it working well.

      This field could be used for other purposes : include which provider has evaluated permission (so business application can trace this when allowing sensitive access), or some specific context (emergency access was active), a signed timestamp, an external reference to the policy version and documentation allowing access...

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                pcraveiro Pedro Igor
                Reporter:
                pcraveiro Pedro Igor
                Tester:
                Michal Hajas
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: