Extend the JSPolicyEvaluationContext #29267
Labels
Comments
bahner
added
kind/enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
The evaluation available in JavaScript policies is very restricted. Concretely I wanted to create a "DebySelfElevation" policy which matched the id of the context identity() with the userId being added to a group. I could for example have solved this by parsing the requestPath, but that is not available, as far as I can tell.
Please consider add the KeycloakSession to the evaluation context or a subset there of.
Discussion
No response
Motivation
I will greatly enhance what's possible to achieve in javascript policies
Details
Adding this data to $evaluation, seem like a minor task. setXXX() functions should not be available and as such there doesnæt seem to be any major security vectors, which arise from this. Since JavaScripts policies are provided as jar files, this is also not something that users will be able to exploit in any meaningful way with regards to leakage of PII.
The text was updated successfully, but these errors were encountered: