diff --git a/docs/documentation/authorization_services/topics.adoc b/docs/documentation/authorization_services/topics.adoc index f6460d85775..1c6806087be 100644 --- a/docs/documentation/authorization_services/topics.adoc +++ b/docs/documentation/authorization_services/topics.adoc @@ -96,4 +96,6 @@ include::topics/service-rpt-overview.adoc[leveloffset=+2] include::topics/service-rpt-token-introspection.adoc[leveloffset=+3] -include::topics/enforcer-js-adapter.adoc[leveloffset=+1] +include::topics/enforcer-overview.adoc[leveloffset=+1] + +include::topics/enforcer-js-adapter.adoc[leveloffset=+2] diff --git a/docs/documentation/authorization_services/topics/auth-services-architecture.adoc b/docs/documentation/authorization_services/topics/auth-services-architecture.adoc index 0ee6686371f..09321d6eaac 100644 --- a/docs/documentation/authorization_services/topics/auth-services-architecture.adoc +++ b/docs/documentation/authorization_services/topics/auth-services-architecture.adoc @@ -20,7 +20,7 @@ For more information, see <<_service_obtaining_permissions, Obtaining Permission * **Policy Enforcement Point (PEP)** + Provides implementations for different environments to actually enforce authorization decisions at the resource server side. -{project_name} provides some built-in Policy Enforcers. +{project_name} provides some built-in <<_enforcer_overview, Policy Enforcers>>. + * **Policy Information Point (PIP)** @@ -78,7 +78,7 @@ what you want to protect (resource or scope) and the policies that must be satis image:images/pep-pattern-diagram.png[alt="PEP overview"] -{project_name} provides some built-in Policy Enforcers implementations that you can use to protect your applications depending on the platform they are running on. +{project_name} provides some built-in <<_enforcer_overview, Policy Enforcers>> implementations that you can use to protect your applications depending on the platform they are running on. == Authorization services diff --git a/docs/documentation/authorization_services/topics/enforcer-overview.adoc b/docs/documentation/authorization_services/topics/enforcer-overview.adoc new file mode 100644 index 00000000000..8b912d1dc24 --- /dev/null +++ b/docs/documentation/authorization_services/topics/enforcer-overview.adoc @@ -0,0 +1,11 @@ +[[_enforcer_overview]] += Policy enforcers + +Policy Enforcement Point (PEP) is a design pattern and as such you can implement it in different ways. {project_name} provides all the necessary means to implement PEPs for different +platforms, environments, and programming languages. {project_name} Authorization Services presents a RESTful API and leverages OAuth2 authorization capabilities for fine-grained +authorization using a centralized authorization server. + +The Policy enforcers available by {project_name} are: + +* {securing_apps_java_policy_enforcer_link}[{securing_apps_java_policy_enforcer_name}] - useful to be used in the Java client applications +* <<_enforcer_js_adapter, Javascript Policy enforcer>> - useful to be used in the applications secured by {project_name} Javascript adapter diff --git a/docs/documentation/authorization_services/topics/resource-server-default-config.adoc b/docs/documentation/authorization_services/topics/resource-server-default-config.adoc index b29567137d0..66fcebb5a78 100644 --- a/docs/documentation/authorization_services/topics/resource-server-default-config.adoc +++ b/docs/documentation/authorization_services/topics/resource-server-default-config.adoc @@ -16,7 +16,7 @@ image:images/resource-server/default-resource.png[alt="Default resource"] This resource defines a `Type`, namely `urn:my-resource-server:resources:default` and a `URI` `/*`. Here, the `URI` field defines a wildcard pattern that indicates to {project_name} that this resource represents all the paths in your application. In other words, -when enabling policy enforcement for your application, all the permissions associated with the resource +when enabling <<_enforcer_overview, policy enforcement>> for your application, all the permissions associated with the resource will be examined before granting access. The `Type` mentioned previously defines a value that can be used to create <<_permission_typed_resource, typed resource permissions>> that must be applied diff --git a/docs/documentation/authorization_services/topics/service-protection-permission-api-papi.adoc b/docs/documentation/authorization_services/topics/service-protection-permission-api-papi.adoc index b483b8e3219..67cdc88dadc 100644 --- a/docs/documentation/authorization_services/topics/service-protection-permission-api-papi.adoc +++ b/docs/documentation/authorization_services/topics/service-protection-permission-api-papi.adoc @@ -12,7 +12,7 @@ A <<_overview_terminology_permission_ticket, permission ticket>> is a special se `A correlation handle that is conveyed from an authorization server to a resource server, from a resource server to a client, and ultimately from a client back to an authorization server, to enable the authorization server to assess the correct policies to apply to a request for authorization data.` -In most cases, you won't need to deal with this endpoint directly. {project_name} provides a policy enforcer that enables UMA for your +In most cases, you do not need to deal with this endpoint directly. {project_name} provides a <<_enforcer_overview, policy enforcer>> that enables UMA for your resource server so it can obtain a permission ticket from the authorization server, return this ticket to client application, and enforce authorization decisions based on a final requesting party token (RPT). The process of obtaining permission tickets from {project_name} is performed by resource servers and not regular client applications, diff --git a/docs/documentation/authorization_services/topics/service-protection-protection-api.adoc b/docs/documentation/authorization_services/topics/service-protection-protection-api.adoc index d53860476d3..e1354087899 100644 --- a/docs/documentation/authorization_services/topics/service-protection-protection-api.adoc +++ b/docs/documentation/authorization_services/topics/service-protection-protection-api.adoc @@ -5,7 +5,7 @@ The Protection API provides a UMA-compliant set of endpoints providing: * *Resource Management* + -With this endpoint, resource servers can manage their resources remotely and enable policy enforcers to query the server for the resources that need protection. +With this endpoint, resource servers can manage their resources remotely and enable <<_enforcer_overview, policy enforcers>> to query the server for the resources that need protection. * *Permission Management* + diff --git a/docs/documentation/authorization_services/topics/service-rpt-token-introspection.adoc b/docs/documentation/authorization_services/topics/service-rpt-token-introspection.adoc index 00bbb07c07f..30f69be70cc 100644 --- a/docs/documentation/authorization_services/topics/service-rpt-token-introspection.adoc +++ b/docs/documentation/authorization_services/topics/service-rpt-token-introspection.adoc @@ -6,7 +6,7 @@ Sometimes you might want to introspect a requesting party token (RPT) to check i There are two main use cases where token introspection can help you: * When client applications need to query the token validity to obtain a new one with the same or additional permissions -* When enforcing authorization decisions at the resource server side, especially when none of the built-in policy enforcers fits your application +* When enforcing authorization decisions at the resource server side, especially when none of the built-in <<_enforcer_overview, policy enforcers>> fits your application = Obtaining Information about an RPT diff --git a/docs/documentation/topics/templates/document-attributes.adoc b/docs/documentation/topics/templates/document-attributes.adoc index 20587e65f77..0c07b254430 100644 --- a/docs/documentation/topics/templates/document-attributes.adoc +++ b/docs/documentation/topics/templates/document-attributes.adoc @@ -125,3 +125,5 @@ :securing_apps_name: Securing applications Guides :securing_apps_name_short: Securing applications :securing_apps_link: https://www.keycloak.org/guides#securing-apps +:securing_apps_java_policy_enforcer_link: https://www.keycloak.org/securing-apps/policy-enforcer +:securing_apps_java_policy_enforcer_name: Java Policy enforcer