[prev in list] [next in list] [prev in thread] [next in thread] 

List:       keycloak-user
Subject:    [keycloak-user] (no subject)
From:       s.geerts () live ! nl (Sander Geerts)
Date:       2017-05-01 14:31:54
Message-ID: CY4PR03MB2470D16133554643FBE1E6628F140 () CY4PR03MB2470 ! namprd03 ! prod ! outlook ! com
[Download RAW message or body]

Hello,


Currently we (as a company) are trying to determine if Keycloak can meet \
our requirements of authorization for our products. The authentication part \
seems obvious and will be enough for what we are trying to do, but we do \
have some questions about the authorization part.


In our application a user can create a so called 'Process'. This process \
goes through a workflow-engine, which determines the next status based on \
some business rules and configured steps. What we are trying to achieve \
through Keycloak is the following:

- Is user X (with role R) authorized for action (/resource) Y with scope \
Write? (This looks like a basic question which Keycloak can answer for \
sure)

- Is user X (with role R) authorized for action (/resource) Y with scope \
Write when the given resource (process) is in status A?


In abstract terms we are trying to determine:

Is user [X] with role [R] authorized for resource [Y] with scope [S] when \
the requested resource instance [Y1] has a property [Prop] with value [V]?


We did some research in the Keycloak documentation, and there is spoken of \
CBAC (Context-Based Access Control) but there are no examples or specific \
documentation to be found.


My summarized question(s):

- Is the given use-case above possible with Keycloak?

- If so, how would the status of a process be defined? Is this a resource? \
Or should/can we use the CBAC engine?

- If we have to implement a custom 'Authorization' provider for this, could \
you give a short example?


We have the option to possibly buy Keycloak support, but we first want to \
verify if it is even an option for our use-cases.


Kind regards,


Sander


[prev in list] [next in list] [prev in thread] [next in thread]