8:46 a.m.
All right. I would like to create a prototype for this. I would take inspiration from the
way custom group attributes are currently implemented.
I guess changes would be necessary in the following areas:
· DB schema
· Persistence layer
· Caching layer
· CRUD API
· Admin console
· Admin CLI
· Java client
· Admin events
Anything I missed?
Thanks and best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY |
www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber,
Michael Hahn
From: Stian Thorgersen <sthorger(a)redhat.com>
Sent: Montag, 27. August 2018 13:49
To: Schuster Sebastian (INST/ESY1) <Sebastian.Schuster(a)bosch-si.com>
Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org>
Subject: Re: [keycloak-dev] Possible feature: role attributes
I don't think we need to consider adding role attributes to the token. That would very
quickly bloat tokens.
I would like to see a bit more general use of role attributes as part of incorporating
such a feature. Otherwise it would end up being a rather hidden feature. Some ideas I have
in mind:
* Ability to do crud of role attributes in admin console
* Ability to query for roles based on attributes
For future work it would be great to have attributes on everything. That would allow us to
do something like OpenShift `oc` does. Where you're able to search and delete
everything based on attributes. One nice use-case here is that you can tag all clients,
roles, etc.. that belong to a deployment (a group of apps and services) and be able to
view everything that is related to the deployment in Keycloak.
On Mon, 27 Aug 2018 at 13:32, Schuster Sebastian (INST/ESY1)
<Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com>>
wrote:
Hi everybody,
We have a use case where we would like to store additional meta-information for roles.
This come from our IAM-requirements, that say there is a single responsible person for a
role or that roles give access to data with different classifications. One way to store
this kind of information would be to introduce role attributes to client and realm roles,
basically similar to user or group attributes.
For us, it would be sufficient to have this information purely as metadata, i.e. we would
only read it through the audit log to inform the responsible person about role assignments
if a role with a certain classification is assigned. In contrast to that, you can add
group und user attributes to a token using user attribute mappers and the client
application can extract this information from the token and act on it.
WDYT? Does anybody else have similar requirements? Would you need role custom attributes
also in the token? I can imagine that it gets kind of difficult to identify where
attributes come from, once there are user, group, and role attributes, possibly with
inheritance/composition.
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY |
www.bosch-si.com<http://www.bosch-si.com><http://www.bosch-si.co...
Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com><mailto:Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com>>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber,
Michael Hahn
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev