4:28 p.m.
Hi Dmitry,
I really like that idea. Thanks for the suggestion. I'll give it a try.
Thanks,
Scott
On Fri, Jan 4, 2019 at 9:25 AM Dmitry Telegin <dt(a)acutus.pro> wrote:
Hi Warren,
Have you ever thought of implementing stores on the Keycloak side?
Off the top of my head, I can suggest implementing them either as
(hierarchical) groups, or using custom JPA entity [1].
It is not clear if you already have a database with stores or only
planning to create and populate it. In the former case you will need to set
up proper synchronization of store data to Keycloak; in the latter case the
need for an external DB will be eliminated.
In both cases you will have to implement Admin Console GUI additions [2]
to manage user-store-scope associations.
The benefits of this approach:
- improved manageability - you manage everything in one place, i.e.
Keycloak Admin Console;
- performance - this will eliminate the need to perform calls to an
external system per each incoming HTTP request, which might have
significant performance impact. Keycloak will already have all the
necessary info to evaluate policies.
You can take a look at BeerCloak [3], a complete all-in-one example that
contains custom JPA entity, Admin Console customizations and the necessary
wiring. I'm already thinking about adding an example authorization policy
that would involve custom JPA entities.
To Pedro: I'd also much appreciate your opinion on this approach, so
please let me know what you think.
[1]
https://www.keycloak.org/docs/latest/server_development/index.html#_exten...
[2]
https://www.keycloak.org/docs/latest/server_development/index.html#_themes
[3] https://github.com/dteleguin/beercloak
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Fri, 2018-12-28 at 19:01 -0500, Warren, Scott wrote:
> Yeah, I made my original example very simple as I was trying to point out
> the multi-tiered permission issue rather than getting bogged down in the
> myriad of scopes. Users can have 1-to-many scopes across several stores.
> It's not as simple as "if primary store grant this scope set, else grant
> that scope set". Life would be a lot easier if it was :)
> It sounds like a CIP service accessing an external DB is the 'correct'
> answer for this scenario. I see no other clean way to tie
> users->stores->scopes.
> Thanks for your help!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Scott G. Warren
SUM Global Technology
swarren(a)sumglobal.com
678.469.3455