tl;dr: Is there a way to extend Keycloak’s authorization services so that I could include a call to an external API when evaluating a policy?
I’ve been using Keycloak for authentication for a while and would like to start using it for authorization as well. That said I have external data, specifically, which department’s data a user has access to. So is there a way to extend Keycloak’s authorization services so that I could include a call to an external API when evaluating a policy?
I’ve spent some time with the documentation and searching around and I see 2 possible ways to do this:
- Create a javascript policy to call the external API
- Create a proxy on top of Keycloak’s authorization endpoints to do evaluation once Keycloak is done
Has anyone tried any of these? Or does anyone have any additional ideas I haven’t found yet?