The idea is to allow that after policy definitions it is possible to automatically or arbitrarily execute an action on all clients affected by the policy.

There are cases like client secret rotation where the application of the policy clearly implies making updates to the client, including or changing attributes. These are policies that modify the state of the client. In the current context we can only expect these updates to occur in the execution of this policy, which may occur during the next login or in the next update or any other event whose policy is sensitive to interception.

With the trigger update functionality, KC could offer the opportunity to apply this update without having to wait for the client to perform some action.

One possibility would be a new event type launched at the time the policy is updated. Policy executors wishing to react to this event would simply add it to their list of predicted events and take any action they deem necessary.

Examples

Scenario 1: Define expiration time for a secret using Admin UI.

• Create a client
• Define client access_type as confidential
• Create a policy (configure it)
• Explicitly trigger an event to apply the policy immediately on all confidential clients

Scenario 2: Update a new policy for existing clients using Admin UI.

• Create the policy
• Configure policy to access_type as bearer only
• Explicitly trigger an event to apply the policy immediately on all existing bearer_only clients

It is important to have a way to intercept both when a policy is activated and when the same policy is deactivated.