Hello Group,when writing custom EventListeners for propagating Keycloak Events to inform downstream systemsof any user related changes one also needs to consider events that are caused by admins, e.g. AdminEvent.Examples are the grant / revoke of a role, group membership changes (derived roles) or user account changesperformed by an admin user.Currently it is not possible to differentiate those admin events when looking at the AdminEvent objectwithout actually parsing / inspecting the representation. This makes it rather complicated to correctly reactspecfic ways for an AdminEvent, e.g. on a Role Membership change, detect and resolve the new role, the user involved and propagate that to the downstream systems.With https://issues.jboss.org/browse/KEYCLOAK-2961 I tried a simple workround by adding theactual realm resource paths to the AdminEvent objekt which allows me to deduce what actually happend.Since the associated PR (https://github.com/keycloak/keycloak/pull/2774) was rejected I think a better solution would be to add dedicated "Event Subject" Information to the AdminEvents.Marek agreed that this would be a good idea in the PR discussion.Subjects could be an enum with "ROLE", "USER/ACCOUNT", "GROUP", however for ROLE one would need to differentiate between REALM_ROLE / CLIENT_ROLE (for proper lookup) and ROLE creation and ROLE_ASSIGNEMNT, same with GROUP.Together with the AdminEvent#OperationType one could deduce what happended, e.g.:Event Subject: ROLE_ASSIGNMENTEvent OperationType: CREATE-> role was grantedEvent Subject: ROLE_ASSIGNMENTEvent OperationType: DELETE-> role was revokedIt would be great if the event would carry some narrowed context information (OperationContext?),e.g. in case of a CLIENT_ROLE ROLE_ASSIGNMENT: clientId, roleId, userIdCheers,Thomas
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev