libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

KEYCLOAK-17637 Client Scope Policy for authorization service

Browse source
This commit is contained in:
Yoshiyuki Tabata 2021-04-05 15:12:11 +09:00 committed by Marek Posolda
parent 27f111b2c2
commit 2f9257e91d
4 changed files with 44 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

BIN
authorization_services/keycloak-images/policy/create-client-scope.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 28 KiB

4
authorization_services/topics.adoc
View file

@ -54,6 +54,10 @@ include::topics/policy-group-policy.adoc[leveloffset=+2]
include::topics/policy-group-policy-extend-children.adoc[leveloffset=+3]
include::topics/policy-client-scope-policy.adoc[leveloffset=+2]
include::topics/policy-client-scope-policy-required-client-scope.adoc[leveloffset=+3]
include::topics/policy-logic.adoc[leveloffset=+2]
include::topics/policy-evaluation-api.adoc[leveloffset=+2]

11
authorization_services/topics/policy-client-scope-policy-required-client-scope.adoc Normal file
View file

@ -0,0 +1,11 @@
[[_policy_client_scope_required]]
= Defining a Client Scope as Required
When creating a client scope-based policy, you can specify a specific client scope as `Required`. When you do that, the policy will grant access only if the client requesting access has been granted *all* the *required* client scopes.
.Example of Required Client Scope
image:{project_images}/policy/create-client-scope.png[alt="Example of Required Client Scope"]
To specify a client scope as required, select the `Required` checkbox for the client scope you want to configure as required.
Required client scopes can be useful when your policy defines multiple client scopes but only a subset of them are mandatory.

29
authorization_services/topics/policy-client-scope-policy.adoc Normal file
View file

@ -0,0 +1,29 @@
[[_policy_client_scope]]
= Client Scope-Based Policy
You can use this type of policy to define conditions for your permissions where a set of one or more client scopes is permitted to access an object.
By default, client scopes added to this policy are not specified as required and the policy will grant access if the client requesting access has been granted any of these client scopes. However, you can specify a specific client scope as <<_policy_client_scope_required, required>> if you want to enforce a specific client scope.
To create a new client scope-based policy, select *Client Scope* in the dropdown list in the upper right corner of the policy listing.
.Add Client Scope-Based Policy
image:{project_images}/policy/create-client-scope.png[alt="Add Client Scope-Based Policy"]
== Configuration
* *Name*
+
A human-readable and unique string describing the policy. A best practice is to use names that are closely related to your business and security requirements, so you can identify them more easily.
+
* *Description*
+
A string containing details about this policy.
+
* *Client Scopes*
+
Specifies which client scopes are permitted by this policy.
+
* *Logic*
+
The <<_policy_logic, Logic>> of this policy to apply after the other conditions have been evaluated.