Extending Keycloak Authorization Using External Data

tl;dr: Is there a way to extend Keycloak’s authorization services so that I could include a call to an external API when evaluating a policy?

I’ve been using Keycloak for authentication for a while and would like to start using it for authorization as well. That said I have external data, specifically, which department’s data a user has access to. So is there a way to extend Keycloak’s authorization services so that I could include a call to an external API when evaluating a policy?

I’ve spent some time with the documentation and searching around and I see 2 possible ways to do this:

  1. Create a javascript policy to call the external API
  2. Create a proxy on top of Keycloak’s authorization endpoints to do evaluation once Keycloak is done

Has anyone tried any of these? Or does anyone have any additional ideas I haven’t found yet?

Hi, I’m curious, have you resolved this?
I would guess option 1 is the correct one, but I haven’t tried.

As you suspected, I resolved this using option 1. I created a simple javascript utility for Nashorn that allows me to make an HTTP connection to a separate service. This script gets included in all my actual javascript policies. The service accepts the claims that get sent when the policy is evaluated and makes a yes or no decision based on that. I use that result in the actual javascript policy.

2 Likes

Can you share the policy script source? Would be great to see some examples.

1 Like