KEYCLOAK-17637 Client Scope Policy for authorization service
This commit is contained in:
parent
27f111b2c2
commit
2f9257e91d
4 changed files with 44 additions and 0 deletions
Binary file not shown.
After Width: | Height: | Size: 28 KiB |
|
@ -54,6 +54,10 @@ include::topics/policy-group-policy.adoc[leveloffset=+2]
|
|||
|
||||
include::topics/policy-group-policy-extend-children.adoc[leveloffset=+3]
|
||||
|
||||
include::topics/policy-client-scope-policy.adoc[leveloffset=+2]
|
||||
|
||||
include::topics/policy-client-scope-policy-required-client-scope.adoc[leveloffset=+3]
|
||||
|
||||
include::topics/policy-logic.adoc[leveloffset=+2]
|
||||
|
||||
include::topics/policy-evaluation-api.adoc[leveloffset=+2]
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
[[_policy_client_scope_required]]
|
||||
= Defining a Client Scope as Required
|
||||
|
||||
When creating a client scope-based policy, you can specify a specific client scope as `Required`. When you do that, the policy will grant access only if the client requesting access has been granted *all* the *required* client scopes.
|
||||
|
||||
.Example of Required Client Scope
|
||||
image:{project_images}/policy/create-client-scope.png[alt="Example of Required Client Scope"]
|
||||
|
||||
To specify a client scope as required, select the `Required` checkbox for the client scope you want to configure as required.
|
||||
|
||||
Required client scopes can be useful when your policy defines multiple client scopes but only a subset of them are mandatory.
|
|
@ -0,0 +1,29 @@
|
|||
[[_policy_client_scope]]
|
||||
= Client Scope-Based Policy
|
||||
|
||||
You can use this type of policy to define conditions for your permissions where a set of one or more client scopes is permitted to access an object.
|
||||
|
||||
By default, client scopes added to this policy are not specified as required and the policy will grant access if the client requesting access has been granted any of these client scopes. However, you can specify a specific client scope as <<_policy_client_scope_required, required>> if you want to enforce a specific client scope.
|
||||
|
||||
To create a new client scope-based policy, select *Client Scope* in the dropdown list in the upper right corner of the policy listing.
|
||||
|
||||
.Add Client Scope-Based Policy
|
||||
image:{project_images}/policy/create-client-scope.png[alt="Add Client Scope-Based Policy"]
|
||||
|
||||
== Configuration
|
||||
|
||||
* *Name*
|
||||
+
|
||||
A human-readable and unique string describing the policy. A best practice is to use names that are closely related to your business and security requirements, so you can identify them more easily.
|
||||
+
|
||||
* *Description*
|
||||
+
|
||||
A string containing details about this policy.
|
||||
+
|
||||
* *Client Scopes*
|
||||
+
|
||||
Specifies which client scopes are permitted by this policy.
|
||||
+
|
||||
* *Logic*
|
||||
+
|
||||
The <<_policy_logic, Logic>> of this policy to apply after the other conditions have been evaluated.
|
Loading…
Reference in a new issue