[keycloak-dev] Possible feature: role attributes
Schuster Sebastian (INST/ESY1)
Sebastian.Schuster at bosch-si.com
Mon Aug 27 07:26:46 EDT 2018
Hi everybody,
We have a use case where we would like to store additional meta-information for roles. This come from our IAM-requirements, that say there is a single responsible person for a role or that roles give access to data with different classifications. One way to store this kind of information would be to introduce role attributes to client and realm roles, basically similar to user or group attributes.
For us, it would be sufficient to have this information purely as metadata, i.e. we would only read it through the audit log to inform the responsible person about role assignments if a role with a certain classification is assigned. In contrast to that, you can add group und user attributes to a token using user attribute mappers and the client application can extract this information from the token and act on it.
WDYT? Does anybody else have similar requirements? Would you need role custom attributes also in the token? I can imagine that it gets kind of difficult to identify where attributes come from, once there are user, group, and role attributes, possibly with inheritance/composition.
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com<mailto:Sebastian.Schuster at bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn
More information about the keycloak-dev
mailing list