[keycloak-dev] ResourceFactory SPI for AuthZ service

Bill Burke bburke at redhat.com
Wed Mar 22 16:04:43 EDT 2017

I want to use AuthZ service to implement fine-grain admin console 
permissions.  To do this, I foresee that I'll have to define resources 
that correspond one to one to objects in the Keycloak domain model.  
Specifically roles, groups, and clients.  There are a few problems with 
this approach:

  * Some deployments of keycloak have tens of thousands of roles and
    groups or hundreds of clients
  * Synchronizing an AuthZ resource that represents a role, group, etc.
    must be done.  i.e. when role/group/client is removed or renamed.
  * I'd like for policies to be able to have the real object that the
    resource represents when evaluating policies

I want to suggest something similar that we've done with User Storage 
SPI in that links to AuthZ resources are a "smart" id.

"f:" + providerId + ":" + resource id

When evaluating policies the engine would navigate to a provider that 
could load an instance of the Resource interface.  This way I could 
represent a role or group as an AuthZ resource without creating a 
resource in the Authz datamodel.  Am I making sense?


More information about the keycloak-dev mailing list