[keycloak-dev] ResourceFactory SPI for AuthZ service
bburke at redhat.com
Wed Mar 22 16:04:43 EDT 2017
I want to use AuthZ service to implement fine-grain admin console
permissions. To do this, I foresee that I'll have to define resources
that correspond one to one to objects in the Keycloak domain model.
Specifically roles, groups, and clients. There are a few problems with
* Some deployments of keycloak have tens of thousands of roles and
groups or hundreds of clients
* Synchronizing an AuthZ resource that represents a role, group, etc.
must be done. i.e. when role/group/client is removed or renamed.
* I'd like for policies to be able to have the real object that the
resource represents when evaluating policies
I want to suggest something similar that we've done with User Storage
SPI in that links to AuthZ resources are a "smart" id.
"f:" + providerId + ":" + resource id
When evaluating policies the engine would navigate to a provider that
could load an instance of the Resource interface. This way I could
represent a role or group as an AuthZ resource without creating a
resource in the Authz datamodel. Am I making sense?
More information about the keycloak-dev