[keycloak-user] Design question for thousands of resource servers

[Michael.E.Brown at dell.com]

I'm wrestling with a design problem that I could use some help on.

I have a console application that users will log into with OIDC. That console application manages (potentially thousands) of devices. Each device individually has a web-ui that a user can log into with OIDC.

I've pretty much finished the design for individual logins to the console and the individual devices, using Client Roles to enumerate permissions on the console and device, and creating groups that give users access to the roles on the devices they should have permissions to. I've set up a Client Role mapper that adds a "{device|console}_permissions": ["perm1", "perm2", "perm3"... ] to the ID Token. The console or device then uses the ID Token to create a session with the appropriate permissions.

The individual devices also have REST endpoints which the console will access. This is where I am running into a problem. I need a solution for the console to act as a Client and get Access Tokens for each of the individual devices.

There are three access modes where the console uses the device REST apis:
- In the context of a user that is present and logged into the console
- On behalf of a user who may or may not be presently logged in (Think scheduled tasks)
- As part of the infrastructure, outside a user context

How can I set up the solution so that the console can get Access Tokens from keycloak for each of these use cases, and how does each device verify the token? I don't think it will scale to have the initial console login Access Token contain all of the permissions for every device. Additionally, I'm worried about the effects if one device is compromised, it seems that the access token could be then used to make requests on any of the other connected servers. But I am at a loss to find another way to accomplish this.

--
Michael