Hi,
Regarding the composite role I believe there should be a limit to how many roles there can
be in a composite role - for practical reasons. Not sure if this will solve the issue
since there is no limit to the depth of the composition. So maybe a limit here might bein
order.
Not sure, but on the current state I think someone might be able to pull a denial of
service attack using the composite roles? They might be sabotaging themselves though :).
There might be another limit on the number of realms a single user can manage.
Another idea:
I've noticed that some IDM ask you to select the account you wish to operate
beforehand.
Maybe this could be used to request the scopes / roles just for that realm.
We have an api that lists the realms.
User selects the realm and asks for a token for that realm only.
We use this pattern in our app secured with keycloak.
Eugen Stan
Netdava International
Mesaj original
De la: sthorger(a)redhat.com
Trimis: 16 iulie 2019 10:42
Către: Gregor.Tudan(a)cofinpro.de
Răsp. la: stian(a)redhat.com
Cc: keycloak-dev(a)lists.jboss.org
Subiect: Re: [keycloak-dev] Scalability Problems with the admin console
PRs for this would be more than welcome. It's been a while since I've
looked at this, but there's at least the two issues identified in the
issues, pagination of realms and whoami. Pagination on the realm list page
would be simple enough, but how to do it for the drop-down needs some
consideration. The whoami issue boils down to the fact that the admin can
have a composite role that adds roles for all realms, which quickly can
explode. Not sure how to solve that one as we don't really want to have
some additional admin console specific logic in how composite roles are
resolved.
On Mon, 8 Jul 2019 at 16:34, Gregor Tudan <Gregor.Tudan(a)cofinpro.de> wrote:
Hi there,
We are running a Keycloak instance with quiet a lot of realms (~400 and
growing) and are starting to get into the dreaded scalability issue of the
admin console (
https://issues.jboss.org/browse/KEYCLOAK-6096). I’ve been
watching the issue for quiet a while now and you made it clear that this
isn’t a top priority at the moment.
The issue is flagged with „Awaiting volunteers“ and I’d love to contribute.
The design proposed by the reporter sounds reasonable. There would have to
be some changes to the whoami-API (which seems to be exclusively used by
the console). The Realms-API would need pagination, which could be kept
backwards compatible. There’s already a page in the admin-ui for
realm-selection that we could add pagination to:
https://service-e.tech.visualvest.de/auth/admin/master/console/#/realms
What do you think? Can I go ahead and give it a try?
Thanks,
Gregor
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev