[KEYCLOAK-4992] - Allow clients to limit the number of permission in a RPT when using entitlements
This commit is contained in:
parent
e565a6ecbc
commit
3f051df357
1 changed files with 24 additions and 1 deletions
|
@ -36,7 +36,30 @@ curl -X POST -H "Authorization: Bearer ${access_token}" -d '{
|
||||||
Clients can use ```include_resource_name``` to decide whether or not resource`s name should be included on each permission granted by the server. This option
|
Clients can use ```include_resource_name``` to decide whether or not resource`s name should be included on each permission granted by the server. This option
|
||||||
can be used to reduce the size of RPTs and optimize client-server communication.
|
can be used to reduce the size of RPTs and optimize client-server communication.
|
||||||
|
|
||||||
By default, permissions in a RPT contain both the id and name of the resource that was granted for every single permission. This option is specially useful
|
By default, permissions in a RPT contain both the id and name of the resource that was granted by every single permission. This option is specially useful
|
||||||
when the resource server is capable of map their resources only based on the resource`s id.
|
when the resource server is capable of map their resources only based on the resource`s id.
|
||||||
|
|
||||||
|
==== Limiting the number of permissions within a RPT
|
||||||
|
|
||||||
|
.limit
|
||||||
|
```bash
|
||||||
|
curl -X POST -H "Authorization: Bearer ${access_token}" -d '{
|
||||||
|
"metadata" : {
|
||||||
|
"limit" : 10
|
||||||
|
},
|
||||||
|
"permissions" : [
|
||||||
|
...
|
||||||
|
]
|
||||||
|
}' "http://${host}:${port}/auth/realms/${realm_name}/authz/entitlement/{client_id}"
|
||||||
|
```
|
||||||
|
Clients can use ```limit``` to specify how many permissions they expected within a RPT returned by the server. The limit option works as follows:
|
||||||
|
|
||||||
|
* If a request is sent *without* a previously issued RPT, only ```limit``` permissions will be returned based on the resources/scopes from the ```permissions``` claim.
|
||||||
|
* If a request is sent *with* a previously issued RPT, the permissions associated with the resources/scopes from the ```permissions``` claim take precedence where the permissions
|
||||||
|
from the previously issued RPT are only included if ```limit``` is not reached. In case there is enough room for permissions from a previously issued RPT, the server
|
||||||
|
will include the first permissions defined there.
|
||||||
|
|
||||||
|
This option allows clients to control the size of RPTs and keep only last permissions granted by the server. It usually makes sense only in cases your client
|
||||||
|
is capable of sending previously issued RPTs while asking for new permissions (a.k.a.: incremental authorization).
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue