Chapter 6. Red Hat Single Sign-On Continuous Delivery 7.3.CD02

UMA 2.0 is now supported for Authorization Services. Check the documentation for more details if you are coming from previous versions of Red Hat Single Sign-On.

Clients applications are now able to send arbitrary claims to Red Hat Single Sign-On along with an authorization request in order to evaluate permissions based on these claims. This is a very handy addition when access should be granted (or denied) in the scope of a specific transaction or based on information about the runtime.

It is now possible to associated attributes with resources protected by Red Hat Single Sign-On and use these same attributes to evaluate permissions from your policies.

In some situations, you may want to just send regular access tokens to a resource server but still be able to enforce policies on these resources.

One of the main changes introduced by this release is that you are no longer required to exchange access tokens with RPTs in order to access resources protected by a resource server (when not using UMA). Depending on how the policy enforcer is configured on the resource server side, you can just send regular access tokens as a bearer token and permissions will still be enforced.

Until now, when deploying an application configured with a policy-enforcer, the policy enforcer would either load all protected paths from the server or just map these paths from the adapter configuration. Users can now decide to load paths on-demand from the server and avoid map these resources in the adapter configuration. Depending on how many protected resources you have this functionality can also improve the time to deploy an application.

In order to avoid unnecessary hits to the server, the policy enforcer caches the mapping between protected resources and their corresponding paths in your application. Users can now configure the behaviour of the cache or even completely disable it.

The policy-enforcer definition on the adapters (keycloak.json) was also updated to support the concept of pushed claims. There you have the concept of a claim-information-point which can be set to push claims from different sources such as the HTTP request or even from an external HTTP service.

The Evaluation API used to implement policies in Red Hat Single Sign-On, especially JavaScript and Drools policies, provides now methods to:

UMA 2.0 is now supported for Authorization Services, including support for users to manage user access through the account management console. There are also other additions and improvements to authorization services.

Clients can now push additional claims and have them used by policies when evaluating permissions.

It is now possible to define attributes on resources in order to have them used by policies when evaluating permissions.

We now have support for Spring Boot 2.

We now have support for Fuse 7.

The JavaScript adapter now supports native promises. It retains support for the old style promises as well. Both can be used interchangeably.

It is now possible to pass Cordova-specific options to login and other methods in the JavaScript adapter. Thanks to loorent for the contribution.