One of the main reasons to allow setting the ID is to make easier to map resources managed by Keycloak to those you are protecting in your app. The IDs must be unique.

The name attribute is unique for a client+owner basis. The unicity of ids is important as we have optimizations around it.

In the future, we are planning to make two main enhancements to resource mgmt: * Resource-less Evaluation, so that you don't actually need to manage resources in Keycloak in order to evaluate policies. This can be done today using a single resource and a JS policy though, but we can provide something better. * Resource SPI, so that you can plug your resource store instead of using Keycloak internal database

Hi Corentin, One of the main reasons to allow setting the ID is to make easier to map resources managed by Keycloak to those you are protecting in your app. The IDs must be unique. It is not clear to me why the type is not enough? On Thu, Jun 27, 2019 at 5:28 AM Corentin Dupont <corentin.dupont(a)gmail.com&gt; wrote: > Hi guys, > I discovered that you can provide your own id when creating resources: > > curl -X POST " > http://localhost:8080/auth/realms/waziup/authz/protection/resource_set" > -H > "Authorization: Bearer $CLIENTTOKEN" -H "Content-Type: application/json" > -d > '{*"_id": "123-456"*, "type": "test", "name":"test", > > "scopes":["sensors:create","sensors:view","sensors:update","sensors:delete"],"owner":"cdupont", > "ownerManagedAccess": true}' > > This is very practical for synchronizing the resources with my own > database. > After some investigation, I found: > - the ID should be unique > - the name should be unique > > Is that correct? The resource type is not used in the unicity. > In my application database, resources with different types are stored in > different collections, so two resources with different types *can* have > the > same ID. > How do you suggest to solve this in Keycloak? Providing a keycloak ID of > the form <type>-<ID> for example? e.g. sensor-123 and project-123 would > not > collide. > > Cheers > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user >

Hi guys, I was wondering why BOTH resource name and id have to be unique. Wouldn't only unique ID be enough? Why also name? This is causing me trouble because my users can choose the resource name. Another problem is that for me different resource types can have the same ID. e.g. a resource of type A can have the same ID than a resource of type B. How can that be solved in Keycloak? By prefixing both ID and name with the type? Thanks On Tue, Jul 2, 2019 at 10:28 PM Corentin Dupont <corentin.dupont(a)gmail.com&gt; wrote: > Hi Pedro, > What I wondered is why the name (beside the ID) should be unique? > Regarding type, my point was that in my app resources with different > types can have the same ID. > > On Thu, Jun 27, 2019 at 2:53 PM Pedro Igor Silva <psilva(a)redhat.com&gt; > wrote: > >> Hi Corentin, >> >> One of the main reasons to allow setting the ID is to make easier to map >> resources managed by Keycloak to those you are protecting in your app. >> >> The IDs must be unique. >> >> It is not clear to me why the type is not enough? >> >> On Thu, Jun 27, 2019 at 5:28 AM Corentin Dupont < >> corentin.dupont(a)gmail.com&gt; wrote: >> >>> Hi guys, >>> I discovered that you can provide your own id when creating resources: >>> >>> curl -X POST " >>> http://localhost:8080/auth/realms/waziup/authz/protection/resource_set" >>> -H >>> "Authorization: Bearer $CLIENTTOKEN" -H "Content-Type: >>> application/json" -d >>> '{*"_id": "123-456"*, "type": "test", "name":"test", >>> >>> "scopes":["sensors:create","sensors:view","sensors:update","sensors:delete"],"owner":"cdupont", >>> "ownerManagedAccess": true}' >>> >>> This is very practical for synchronizing the resources with my own >>> database. >>> After some investigation, I found: >>> - the ID should be unique >>> - the name should be unique >>> >>> Is that correct? The resource type is not used in the unicity. >>> In my application database, resources with different types are stored in >>> different collections, so two resources with different types *can* have >>> the >>> same ID. >>> How do you suggest to solve this in Keycloak? Providing a keycloak ID of >>> the form <type>-<ID> for example? e.g. sensor-123 and project-123 would >>> not >>> collide. >>> >>> Cheers >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>

Oh, I understand. So uniqueness requirements are like that: Unique: _id Unique: owner + name Is it correct?

In my app, a same owner can have resources with the same ID, provided that they have different types. e.g. a user "Paul" can have a car named "Megane" and a child named "Megane" (sorry for that example). I don't have resources belonging to the resource server (only to users). Anyway, I don't understand the reason behind the uniqueness requirement for owner+name? Isn't the _id sufficient?

On Wed, Oct 23, 2019 at 6:42 PM Pedro Igor Silva <psilva(a)redhat.com&gt; wrote: > Hi Corentin, > > The name is unique for a same client and owner. Different owners can have > resources with a same name. Or are you talking about resources owned by the > resource server itself ? > > On Wed, Oct 23, 2019 at 10:25 AM Corentin Dupont < > corentin.dupont(a)gmail.com&gt; wrote: > >> Hi guys, >> I was wondering why BOTH resource name and id have to be unique. >> Wouldn't only unique ID be enough? Why also name? >> This is causing me trouble because my users can choose the resource name. >> >> Another problem is that for me different resource types can have the >> same ID. >> e.g. a resource of type A can have the same ID than a resource of type B. >> How can that be solved in Keycloak? By prefixing both ID and name with >> the type? >> Thanks >> >> >> On Tue, Jul 2, 2019 at 10:28 PM Corentin Dupont < >> corentin.dupont(a)gmail.com&gt; wrote: >> >>> Hi Pedro, >>> What I wondered is why the name (beside the ID) should be unique? >>> Regarding type, my point was that in my app resources with different >>> types can have the same ID. >>> >>> On Thu, Jun 27, 2019 at 2:53 PM Pedro Igor Silva <psilva(a)redhat.com&gt; >>> wrote: >>> >>>> Hi Corentin, >>>> >>>> One of the main reasons to allow setting the ID is to make easier to >>>> map resources managed by Keycloak to those you are protecting in your app. >>>> >>>> The IDs must be unique. >>>> >>>> It is not clear to me why the type is not enough? >>>> >>>> On Thu, Jun 27, 2019 at 5:28 AM Corentin Dupont < >>>> corentin.dupont(a)gmail.com&gt; wrote: >>>> >>>>> Hi guys, >>>>> I discovered that you can provide your own id when creating resources: >>>>> >>>>> curl -X POST " >>>>> http://localhost:8080/auth/realms/waziup/authz/protection/resource_set" >>>>> -H >>>>> "Authorization: Bearer $CLIENTTOKEN" -H "Content-Type: >>>>> application/json" -d >>>>> '{*"_id": "123-456"*, "type": "test", "name":"test", >>>>> >>>>> "scopes":["sensors:create","sensors:view","sensors:update","sensors:delete"],"owner":"cdupont", >>>>> "ownerManagedAccess": true}' >>>>> >>>>> This is very practical for synchronizing the resources with my own >>>>> database. >>>>> After some investigation, I found: >>>>> - the ID should be unique >>>>> - the name should be unique >>>>> >>>>> Is that correct? The resource type is not used in the unicity. >>>>> In my application database, resources with different types are stored >>>>> in >>>>> different collections, so two resources with different types *can* >>>>> have the >>>>> same ID. >>>>> How do you suggest to solve this in Keycloak? Providing a keycloak ID >>>>> of >>>>> the form <type>-<ID> for example? e.g. sensor-123 and project-123 >>>>> would not >>>>> collide. >>>>> >>>>> Cheers >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user(a)lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>