[prev in list] [next in list] [prev in thread] [next in thread] 

List:       keycloak-user
Subject:    [keycloak-user] (no subject)
From:       s.geerts () live ! nl (Sander Geerts)
Date:       2017-05-01 14:31:54
Message-ID: CY4PR03MB2470D16133554643FBE1E6628F140 () CY4PR03MB2470 ! namprd03 ! prod ! outlook ! com
[Download RAW message or body]

Hello,


Currently we (as a company) are trying to determine if Keycloak can meet our requirements of \
authorization for our products. The authentication part seems obvious and will be enough for what we are \
trying to do, but we do have some questions about the authorization part.


In our application a user can create a so called 'Process'. This process goes through a workflow-engine, \
which determines the next status based on some business rules and configured steps. What we are trying to \
achieve through Keycloak is the following:

- Is user X (with role R) authorized for action (/resource) Y with scope Write? (This looks like a basic \
question which Keycloak can answer for sure)

- Is user X (with role R) authorized for action (/resource) Y with scope Write when the given resource \
(process) is in status A?


In abstract terms we are trying to determine:

Is user [X] with role [R] authorized for resource [Y] with scope [S] when the requested resource instance \
[Y1] has a property [Prop] with value [V]?


We did some research in the Keycloak documentation, and there is spoken of CBAC (Context-Based Access \
Control) but there are no examples or specific documentation to be found.


My summarized question(s):

- Is the given use-case above possible with Keycloak?

- If so, how would the status of a process be defined? Is this a resource? Or should/can we use the CBAC \
engine?

- If we have to implement a custom 'Authorization' provider for this, could you give a short example?


We have the option to possibly buy Keycloak support, but we first want to verify if it is even an option \
for our use-cases.


Kind regards,


Sander


[prev in list] [next in list] [prev in thread] [next in thread]