Hi Warren,
Have you ever thought of implementing stores on the Keycloak side?
Off the top of my head, I can suggest implementing themĀ either as (hierarchical) groups,
or using custom JPA entity [1].
It is not clear if you already have a database with stores or only planning to create and
populate it. In the former case you will need to set up proper synchronization of store
data to Keycloak; in the latter case the need for an external DB will be eliminated.
In both cases you will have to implement Admin Console GUI additions [2] to manage
user-store-scope associations.
The benefits of this approach:
- improved manageability - you manage everything in one place, i.e. Keycloak Admin
Console;
- performance - this will eliminate the need to perform calls to an external system per
each incoming HTTP request, which might have significant performance impact. Keycloak will
already have all the necessary info to evaluate policies.
You can take a look at BeerCloak [3], a complete all-in-one example that contains custom
JPA entity, Admin Console customizations and the necessary wiring. I'm already
thinking about adding an example authorization policy that would involve custom JPA
entities.
To Pedro: I'd also much appreciate your opinion on this approach, so please let me
know what you think.
[1]
https://www.keycloak.org/docs/latest/server_development/index.html#_exten...
[2]
https://www.keycloak.org/docs/latest/server_development/index.html#_themes
[3]
https://github.com/dteleguin/beercloak
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Fri, 2018-12-28 at 19:01 -0500, Warren, Scott wrote:
Yeah, I made my original example very simple as I was trying to point
out
the multi-tiered permission issue rather than getting bogged down in the
myriad of scopes. Users can have 1-to-many scopes across several stores.
It's not as simple as "if primary store grant this scope set, else grant
that scope set". Life would be a lot easier if it was :)
It sounds like a CIP service accessing an external DB is the 'correct'
answer for this scenario. I see no other clean way to tie
users->stores->scopes.
Thanks for your help!
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user