keycloak-scim/authorization_services/topics/enforcer-overview.adoc

[[_enforcer_overview]]
= Policy Enforcers

Policy Enforcement Point (PEP) is a design pattern and as such you can implement it in different ways. {project_name} provides all the necessary means
to implement PEPs for different platforms, environments, and programming languages. {project_name} Authorization Services presents a RESTful API,
and leverages OAuth2 authorization capabilities for fine-grained authorization using a centralized authorization server.

image:images/pep-pattern-diagram.png[alt="PEP Overview"]

A PEP is responsible for enforcing access decisions from the {project_name} server where these decisions are taken by evaluating the policies
associated with a protected resource. It acts as a filter or interceptor in your application in order to check whether or not a particular request
to a protected resource can be fulfilled based on the permissions granted by these decisions.

Permissions are enforced depending on the protocol you are using. When using UMA, the policy enforcer always expects an RPT as a bearer token in order
to decide whether or not a request can be served. That means clients should first obtain an RPT from {project_name} before sending requests to the resource server.

However, if you are not using UMA, you can also send regular access tokens to the resource server. In this case, the policy enforcer will try to obtain permissions directly from the server.

If you are using any of the {project_name} OIDC adapters, you can easily enable the policy enforcer by adding the following property to your *keycloak.json* file:

.keycloak.json
```json
{
 "policy-enforcer": {}
}
```

When you enable the policy enforcer all requests sent your application are intercepted and access to protected resources will be granted
depending on the permissions granted by {project_name} to the identity making the request.

Policy enforcement is strongly linked to your application's paths and the <<_resource_overview, resources>> you created for a resource server using the {project_name} Administration Console. By default,
when you create a resource server, {project_name} creates a <<_resource_server_default_config, default configuration>> for your resource server so you can enable policy enforcement quickly.
[RHSSO-599] - Replacing link with fake 2016-11-29 15:30:53 +00:00			`[[_enforcer_overview]]`
Convert Authorization Service to a flat topic structure (#212) * Convert Authorization Service to a flat topic structure * Fix issue with toc being cut 2017-10-09 06:38:46 +00:00			`= Policy Enforcers`
Servlet security quickstart 2016-06-03 23:49:26 +00:00
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`Policy Enforcement Point (PEP) is a design pattern and as such you can implement it in different ways. {project_name} provides all the necessary means`
			`to implement PEPs for different platforms, environments, and programming languages. {project_name} Authorization Services presents a RESTful API,`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`and leverages OAuth2 authorization capabilities for fine-grained authorization using a centralized authorization server.`
Servlet security quickstart 2016-06-03 23:49:26 +00:00
Convert Authorization Service to a flat topic structure (#212) * Convert Authorization Service to a flat topic structure * Fix issue with toc being cut 2017-10-09 06:38:46 +00:00			`image:images/pep-pattern-diagram.png[alt="PEP Overview"]`
[KEYCLOAK-4903] - Pushed Claims and improvements to PEP 2018-04-18 20:15:29 +00:00
			`A PEP is responsible for enforcing access decisions from the {project_name} server where these decisions are taken by evaluating the policies`
			`associated with a protected resource. It acts as a filter or interceptor in your application in order to check whether or not a particular request`
			`to a protected resource can be fulfilled based on the permissions granted by these decisions.`

[KEYCLOAK-7552] - More docs and examples 2018-06-12 02:16:55 +00:00			`Permissions are enforced depending on the protocol you are using. When using UMA, the policy enforcer always expects an RPT as a bearer token in order`
			`to decide whether or not a request can be served. That means clients should first obtain an RPT from {project_name} before sending requests to the resource server.`

			`However, if you are not using UMA, you can also send regular access tokens to the resource server. In this case, the policy enforcer will try to obtain permissions directly from the server.`

[KEYCLOAK-4903] - Pushed Claims and improvements to PEP 2018-04-18 20:15:29 +00:00			`If you are using any of the {project_name} OIDC adapters, you can easily enable the policy enforcer by adding the following property to your keycloak.json file:`

			`.keycloak.json`
			```json
			`{`
			`"policy-enforcer": {}`
			`}`
			```

			`When you enable the policy enforcer all requests sent your application are intercepted and access to protected resources will be granted`
			`depending on the permissions granted by {project_name} to the identity making the request.`

			`Policy enforcement is strongly linked to your application's paths and the <<_resource_overview, resources>> you created for a resource server using the {project_name} Administration Console. By default,`
			`when you create a resource server, {project_name} creates a <<_resource_server_default_config, default configuration>> for your resource server so you can enable policy enforcement quickly.`