[keycloak-user] Fwd: Multi-tiered Permissions
Warren, Scott
swarren at sumglobal.com
Fri Jan 4 10:28:26 EST 2019
Hi Dmitry,
I really like that idea. Thanks for the suggestion. I'll give it a try.
Thanks,
Scott
On Fri, Jan 4, 2019 at 9:25 AM Dmitry Telegin <dt at acutus.pro> wrote:
> Hi Warren,
>
> Have you ever thought of implementing stores on the Keycloak side?
>
> Off the top of my head, I can suggest implementing them either as
> (hierarchical) groups, or using custom JPA entity [1].
>
> It is not clear if you already have a database with stores or only
> planning to create and populate it. In the former case you will need to set
> up proper synchronization of store data to Keycloak; in the latter case the
> need for an external DB will be eliminated.
> In both cases you will have to implement Admin Console GUI additions [2]
> to manage user-store-scope associations.
>
> The benefits of this approach:
> - improved manageability - you manage everything in one place, i.e.
> Keycloak Admin Console;
> - performance - this will eliminate the need to perform calls to an
> external system per each incoming HTTP request, which might have
> significant performance impact. Keycloak will already have all the
> necessary info to evaluate policies.
>
> You can take a look at BeerCloak [3], a complete all-in-one example that
> contains custom JPA entity, Admin Console customizations and the necessary
> wiring. I'm already thinking about adding an example authorization policy
> that would involve custom JPA entities.
>
> To Pedro: I'd also much appreciate your opinion on this approach, so
> please let me know what you think.
>
> [1]
> https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_jpa
> [2]
> https://www.keycloak.org/docs/latest/server_development/index.html#_themes
> [3] https://github.com/dteleguin/beercloak
>
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Fri, 2018-12-28 at 19:01 -0500, Warren, Scott wrote:
> > Yeah, I made my original example very simple as I was trying to point out
> > the multi-tiered permission issue rather than getting bogged down in the
> > myriad of scopes. Users can have 1-to-many scopes across several stores.
> > It's not as simple as "if primary store grant this scope set, else grant
> > that scope set". Life would be a lot easier if it was :)
> > It sounds like a CIP service accessing an external DB is the 'correct'
> > answer for this scenario. I see no other clean way to tie
> > users->stores->scopes.
> > Thanks for your help!
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Scott G. Warren
SUM Global Technology
swarren at sumglobal.com
678.469.3455
More information about the keycloak-user
mailing list