0

I was searching through the supported policy types of keycloak, and saw that it offers some predefined choices regarding:

  • Regex
  • Role
  • Client
  • User ...
  • Js

The most flexible one, seems to be Js after the drop of support on rule based policies.

So my question is, if it is possible to implement some type or parts of license enforcement using keycloak.

Say for example the case of denying access to a user if he/she is owner at more than X resources of a particular type. (E.g. allow each user a limit of X image uploads). I couldn't find a way to implement this natively using the evaluation context. It might be possible by updating the permissions/scopes, such as removing a related user policy through an external service but it doesn't sound appealing. Is keycloak meant to support such a case through policies?

Thanks in advance.

ichantz
  • 298
  • 3
  • 11
  • Can you explain more detail in this your statement? "he/she is owner at more that x resources of a particular type." – Bench Vue Sep 06 '22 at 23:11
  • Hi, @BenchVue . Yes, I mean that, if a user of a particular realm is found as owner in let's say more than 10 resources of type image, I would like to be able to deny further requests on resource /image with post scope. Thus limiting a user's ability to upload more than 10 images in my application. For the resource definition and the mentioned field of owner, type see https://www.keycloak.org/docs/latest/authorization_services/index.html#_resource_view – ichantz Sep 07 '22 at 08:17
  • Thanks, Now I understood your request. I only experienced [time based policy evaluation](https://wjw465150.gitbooks.io/keycloak-documentation/content/authorization_services/topics/policy/time-policy.html), I have no idea how to evaluate to number of upload resource. – Bench Vue Sep 07 '22 at 08:51

0 Answers0