[keycloak-dev] ResourceFactory SPI for AuthZ service

Pedro Igor Silva psilva at redhat.com
Wed Mar 22 19:11:03 EDT 2017 

I'll be busy this week and probably next week preparing a PR with Elytron
adapters. Just sent an email about it.

If you can wait until there ...

Regards.
Pedro Igor

On Wed, Mar 22, 2017 at 7:52 PM, Bill Burke <bburke at redhat.com> wrote:

> I need it to move forward.  You or me.  I don't care.
>
> On 3/22/17 5:45 PM, Pedro Igor Silva wrote:
>
> Btw, are you already looking this or do you want me to write it down ?
>
> On Wed, Mar 22, 2017 at 6:08 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> I see. That makes sense. It would save a lot of work and can also be
>> useful for people looking to hook their own resources without necessarily
>> creating them.
>>
>> Regards.
>> Pedro Igor
>>
>> On Wed, Mar 22, 2017 at 5:04 PM, Bill Burke <bburke at redhat.com> wrote:
>>
>>> I want to use AuthZ service to implement fine-grain admin console
>>> permissions.  To do this, I foresee that I'll have to define resources
>>> that correspond one to one to objects in the Keycloak domain model.
>>> Specifically roles, groups, and clients.  There are a few problems with
>>> this approach:
>>>
>>>   * Some deployments of keycloak have tens of thousands of roles and
>>>     groups or hundreds of clients
>>>   * Synchronizing an AuthZ resource that represents a role, group, etc.
>>>     must be done.  i.e. when role/group/client is removed or renamed.
>>>   * I'd like for policies to be able to have the real object that the
>>>     resource represents when evaluating policies
>>>
>>> I want to suggest something similar that we've done with User Storage
>>> SPI in that links to AuthZ resources are a "smart" id.
>>>
>>> "f:" + providerId + ":" + resource id
>>>
>>> When evaluating policies the engine would navigate to a provider that
>>> could load an instance of the Resource interface.  This way I could
>>> represent a role or group as an AuthZ resource without creating a
>>> resource in the Authz datamodel.  Am I making sense?
>>>
>>> Bill
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>>
>
>

More information about the keycloak-dev mailing list