[prev in list] [next in list] [prev in thread] [next in thread] 

List:       keycloak-user
Subject:    [keycloak-user] (no subject)
From:       s.geerts () live ! nl (Sander Geerts)
Date:       2017-05-01 14:31:54
Message-ID: CY4PR03MB2470D16133554643FBE1E6628F140 () CY4PR03MB2470 ! namprd03 ! prod ! outlook ! com
[Download RAW message or body]

Hello,


Currently we (as a company) are trying to determine if Keycloak can meet our \
requirements of authorization for our products. The authentication part seems obvious \
and will be enough for what we are trying to do, but we do have some questions about \
the authorization part.


In our application a user can create a so called 'Process'. This process goes through \
a workflow-engine, which determines the next status based on some business rules and \
configured steps. What we are trying to achieve through Keycloak is the following:

- Is user X (with role R) authorized for action (/resource) Y with scope Write? (This \
looks like a basic question which Keycloak can answer for sure)

- Is user X (with role R) authorized for action (/resource) Y with scope Write when \
the given resource (process) is in status A?


In abstract terms we are trying to determine:

Is user [X] with role [R] authorized for resource [Y] with scope [S] when the \
requested resource instance [Y1] has a property [Prop] with value [V]?


We did some research in the Keycloak documentation, and there is spoken of CBAC \
(Context-Based Access Control) but there are no examples or specific documentation to \
be found.


My summarized question(s):

- Is the given use-case above possible with Keycloak?

- If so, how would the status of a process be defined? Is this a resource? Or \
should/can we use the CBAC engine?

- If we have to implement a custom 'Authorization' provider for this, could you give \
a short example?


We have the option to possibly buy Keycloak support, but we first want to verify if \
it is even an option for our use-cases.


Kind regards,


Sander


[prev in list] [next in list] [prev in thread] [next in thread]