Hi,
I have read the threads about the tenantId/integration with Keycloak, but I am still
having some doubts about the ideal flow.
Please, let me know if my flow is correct:
- We will have users associated by tenants, so a tuple (tenantId, userId) should be unique
i.e. (tenantA, userA), (tenantB, userA).
- A tuple (tenantId, userId) will have associated a list of roles (with hierarchy like an
organization ?).
- Metrics/Definitions/Resources should be unique by tenant, so our backend should have
something like (tenantId, {metricId|resourceId|definitionId}).
- In the APIs, tenantId will be explicit nor implicit.
- Keycloak would be responsible to pass a (tenantId, userId) + roles list to the
component/application.
So, my main doubt is about how are we thinking to work with the authorization, I guess
that component backend should define some authorization rules based on roles and
permissions, right ?
I guess that this part should be more or less shared for all components.
Is there any draft about it ?
Perhaps this question is very early and it can be put on hold for later, but just curious
about it, as I would like to think in possible impacts.
Thanks,
Lucas