6:26 a.m.
Hi everybody,
We have a use case where we would like to store additional meta-information for roles.
This come from our IAM-requirements, that say there is a single responsible person for a
role or that roles give access to data with different classifications. One way to store
this kind of information would be to introduce role attributes to client and realm roles,
basically similar to user or group attributes.
For us, it would be sufficient to have this information purely as metadata, i.e. we would
only read it through the audit log to inform the responsible person about role assignments
if a role with a certain classification is assigned. In contrast to that, you can add
group und user attributes to a token using user attribute mappers and the client
application can extract this information from the token and act on it.
WDYT? Does anybody else have similar requirements? Would you need role custom attributes
also in the token? I can imagine that it gets kind of difficult to identify where
attributes come from, once there are user, group, and role attributes, possibly with
inheritance/composition.
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY |
www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber,
Michael Hahn
6:49 a.m.
I don't think we need to consider adding role attributes to the token. That
would very quickly bloat tokens.
I would like to see a bit more general use of role attributes as part of
incorporating such a feature. Otherwise it would end up being a rather
hidden feature. Some ideas I have in mind:
* Ability to do crud of role attributes in admin console
* Ability to query for roles based on attributes
For future work it would be great to have attributes on everything. That
would allow us to do something like OpenShift `oc` does. Where you're able
to search and delete everything based on attributes. One nice use-case here
is that you can tag all clients, roles, etc.. that belong to a deployment
(a group of apps and services) and be able to view everything that is
related to the deployment in Keycloak.
On Mon, 27 Aug 2018 at 13:32, Schuster Sebastian (INST/ESY1) <
Sebastian.Schuster(a)bosch-si.com> wrote:
Hi everybody,
We have a use case where we would like to store additional
meta-information for roles. This come from our IAM-requirements, that say
there is a single responsible person for a role or that roles give access
to data with different classifications. One way to store this kind of
information would be to introduce role attributes to client and realm
roles, basically similar to user or group attributes.
For us, it would be sufficient to have this information purely as
metadata, i.e. we would only read it through the audit log to inform the
responsible person about role assignments if a role with a certain
classification is assigned. In contrast to that, you can add group und user
attributes to a token using user attribute mappers and the client
application can extract this information from the token and act on it.
WDYT? Does anybody else have similar requirements? Would you need role
custom attributes also in the token? I can imagine that it gets kind of
difficult to identify where attributes come from, once there are user,
group, and role attributes, possibly with inheritance/composition.
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
Stefan Ferber, Michael Hahn
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:46 a.m.
All right. I would like to create a prototype for this. I would take inspiration from the
way custom group attributes are currently implemented.
I guess changes would be necessary in the following areas:
· DB schema
· Persistence layer
· Caching layer
· CRUD API
· Admin console
· Admin CLI
· Java client
· Admin events
Anything I missed?
Thanks and best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY |
www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber,
Michael Hahn
From: Stian Thorgersen <sthorger(a)redhat.com>
Sent: Montag, 27. August 2018 13:49
To: Schuster Sebastian (INST/ESY1) <Sebastian.Schuster(a)bosch-si.com>
Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org>
Subject: Re: [keycloak-dev] Possible feature: role attributes
I don't think we need to consider adding role attributes to the token. That would very
quickly bloat tokens.
I would like to see a bit more general use of role attributes as part of incorporating
such a feature. Otherwise it would end up being a rather hidden feature. Some ideas I have
in mind:
* Ability to do crud of role attributes in admin console
* Ability to query for roles based on attributes
For future work it would be great to have attributes on everything. That would allow us to
do something like OpenShift `oc` does. Where you're able to search and delete
everything based on attributes. One nice use-case here is that you can tag all clients,
roles, etc.. that belong to a deployment (a group of apps and services) and be able to
view everything that is related to the deployment in Keycloak.
On Mon, 27 Aug 2018 at 13:32, Schuster Sebastian (INST/ESY1)
<Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com>>
wrote:
Hi everybody,
We have a use case where we would like to store additional meta-information for roles.
This come from our IAM-requirements, that say there is a single responsible person for a
role or that roles give access to data with different classifications. One way to store
this kind of information would be to introduce role attributes to client and realm roles,
basically similar to user or group attributes.
For us, it would be sufficient to have this information purely as metadata, i.e. we would
only read it through the audit log to inform the responsible person about role assignments
if a role with a certain classification is assigned. In contrast to that, you can add
group und user attributes to a token using user attribute mappers and the client
application can extract this information from the token and act on it.
WDYT? Does anybody else have similar requirements? Would you need role custom attributes
also in the token? I can imagine that it gets kind of difficult to identify where
attributes come from, once there are user, group, and role attributes, possibly with
inheritance/composition.
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY |
www.bosch-si.com<http://www.bosch-si.com><http://www.bosch-si.co...
Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com><mailto:Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com>>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber,
Michael Hahn
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2:22 a.m.
Sounds good. I can't think of anything that you've missed from the list.
On Fri, 31 Aug 2018 at 15:46, Schuster Sebastian (INST/ESY1) <
Sebastian.Schuster(a)bosch-si.com> wrote:
All right. I would like to create a prototype for this. I would take
inspiration from the way custom group attributes are currently implemented.
I guess changes would be necessary in the following areas:
· DB schema
· Persistence layer
· Caching layer
· CRUD API
· Admin console
· Admin CLI
· Java client
· Admin events
Anything I missed?
Thanks and best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
*Dr.-Ing. Sebastian Schuster *
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
Sebastian.Schuster(a)bosch-si.com
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
Stefan Ferber, Michael Hahn
*From:* Stian Thorgersen <sthorger(a)redhat.com>
*Sent:* Montag, 27. August 2018 13:49
*To:* Schuster Sebastian (INST/ESY1) <Sebastian.Schuster(a)bosch-si.com>
*Cc:* keycloak-dev <keycloak-dev(a)lists.jboss.org>
*Subject:* Re: [keycloak-dev] Possible feature: role attributes
I don't think we need to consider adding role attributes to the token.
That would very quickly bloat tokens.
I would like to see a bit more general use of role attributes as part of
incorporating such a feature. Otherwise it would end up being a rather
hidden feature. Some ideas I have in mind:
* Ability to do crud of role attributes in admin console
* Ability to query for roles based on attributes
For future work it would be great to have attributes on everything. That
would allow us to do something like OpenShift `oc` does. Where you're able
to search and delete everything based on attributes. One nice use-case here
is that you can tag all clients, roles, etc.. that belong to a deployment
(a group of apps and services) and be able to view everything that is
related to the deployment in Keycloak.
On Mon, 27 Aug 2018 at 13:32, Schuster Sebastian (INST/ESY1) <
Sebastian.Schuster(a)bosch-si.com> wrote:
Hi everybody,
We have a use case where we would like to store additional
meta-information for roles. This come from our IAM-requirements, that say
there is a single responsible person for a role or that roles give access
to data with different classifications. One way to store this kind of
information would be to introduce role attributes to client and realm
roles, basically similar to user or group attributes.
For us, it would be sufficient to have this information purely as
metadata, i.e. we would only read it through the audit log to inform the
responsible person about role assignments if a role with a certain
classification is assigned. In contrast to that, you can add group und user
attributes to a token using user attribute mappers and the client
application can extract this information from the token and act on it.
WDYT? Does anybody else have similar requirements? Would you need role
custom attributes also in the token? I can imagine that it gets kind of
difficult to identify where attributes come from, once there are user,
group, and role attributes, possibly with inheritance/composition.
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
Sebastian.Schuster@bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
Stefan Ferber, Michael Hahn
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2299
days inactive
2313
days old
3 comments
2 participants
participants (2)
-
Schuster Sebastian (INST/ESY1) -
Stian Thorgersen