Re: [keycloak-dev] ResourceFactory SPI for AuthZ service

Btw, are you already looking this or do you want me to write it down ? On Wed, Mar 22, 2017 at 6:08 PM, Pedro Igor Silva <psilva(a)redhat.com <mailto:psilva@redhat.com>> wrote: I see. That makes sense. It would save a lot of work and can also be useful for people looking to hook their own resources without necessarily creating them. Regards. Pedro Igor On Wed, Mar 22, 2017 at 5:04 PM, Bill Burke <bburke(a)redhat.com <mailto:bburke@redhat.com>> wrote: I want to use AuthZ service to implement fine-grain admin console permissions. To do this, I foresee that I'll have to define resources that correspond one to one to objects in the Keycloak domain model. Specifically roles, groups, and clients. There are a few problems with this approach: * Some deployments of keycloak have tens of thousands of roles and groups or hundreds of clients * Synchronizing an AuthZ resource that represents a role, group, etc. must be done. i.e. when role/group/client is removed or renamed. * I'd like for policies to be able to have the real object that the resource represents when evaluating policies I want to suggest something similar that we've done with User Storage SPI in that links to AuthZ resources are a "smart" id. "f:" + providerId + ":" + resource id When evaluating policies the engine would navigate to a provider that could load an instance of the Resource interface. This way I could represent a role or group as an AuthZ resource without creating a resource in the Authz datamodel. Am I making sense? Bill _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-dev <https://lists.jboss.org/mailman/listinfo/keycloak-dev>