[keycloak-dev] Groups design

Bill Burke bburke at redhat.com
Wed Aug 12 09:50:21 EDT 2015 

I would like to nail down what we want Groups to look like in Keycloak. 
  And also propose a separate RoleGroups structure.

GROUPS:

* Groups have an id, name, and description
* Groups have an arbitrary set of name/value pair attributes
* Realm/Client roles can be associated with a Group.  This is like a 
UserRoleMapping, except it is a GroupRoleMapping.
* Groups can be members of one or more groups
* Users can be members of one or more groups
* Users inherit attributes of the groups they belong to.
* UserModel now has a getGroups(), hasGroup(), grantGroup(), deleteGroup()
* Similar to default roles, we also have default groups.

Features we probably want:
* Groups can have a set of protocol Mappers organized by protocol.
* Clients inherit protocol Mappers from the groups a user belongs to.

Questions:
* Do we want to expand the concept of a Group so that clients and 
identity brokers can belong to a Group? Or just create a separate 
composite structure for this?


ROLEGROUPS:

RoleGroups are just a namespace for Roles.  I want to remove the concept 
of realm level and client level roles and just have the concept of a 
RoleGroup.  The reasoning for this is that I've seen people ask for it. 
  They want to share a set of roles between clients and realm-level 
roles might end up having name clashes, if you are following me.

* RoleGroups have an id, name and description.
* RoleGroups define a set of roles.
* Users are *NOT* members of RoleGroups
* For migration, a "realm" RoleGroup is created.  a RoleGroup for each 
client that has defined roles is created.  The name will be the clientId 
of the client.
* I want to deprecate the "use-resource-role-mappings" switch in the 
adapter.
* I want to deprecate the JWT extension we made for roles and have 
something completely flat (like SAML) with a URI that identifies each 
role (like in UMA spec).
* We will remove these deprecated features in the final cut of community 
that we fork to move into product.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list