[keycloak-dev] inter-realm trust model

Stian Thorgersen sthorger at redhat.com
Mon Dec 7 02:43:02 EST 2015


Added this comment to the previous thread, but copy/pasting here:

I was thinking a bit more about trust between realms and I think that
should be limited to authentication only. An admin with certain roles in
one realm shouldn't necessarily have the same roles in another realm. So I
think we need either a user that can exist in multiple realms or utilize
identity brokering to get "linked" users. I'm worried if we allow roles
from one realm to give admin permissions in another it will be hard to get
a full picture of who has access to the realm. It may also give
unintentional permissions. Also, if we introduce admins that can only
manage a "group" of users or roles that specify what roles an admin can
grant that would require users in the specific realm to manage.

On 4 December 2015 at 17:23, Bill Burke <bburke at redhat.com> wrote:

> To establish trust between realms I was thinking about a simple table:
>
> realm|trusted-realm|role
>
> Here's some example records:
>
> test-realm|master|manage-clients
> test-realm|master|view-users
>
> means
>
> "test-realm" trusts the "master" realm, but they can only
> "manage-clients" and "view-users"
>
> The "role" column would just be the name of the realm, not an id and
> would reference the "realm-management" client roles (which will be moved
> to security-admin-console client).
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151207/39608165/attachment.html 


More information about the keycloak-dev mailing list