[keycloak-dev] ResourceFactory SPI for AuthZ service
Pedro Igor Silva
psilva at redhat.com
Wed Mar 22 17:08:55 EDT 2017
I see. That makes sense. It would save a lot of work and can also be useful
for people looking to hook their own resources without necessarily creating
them.
Regards.
Pedro Igor
On Wed, Mar 22, 2017 at 5:04 PM, Bill Burke <bburke at redhat.com> wrote:
> I want to use AuthZ service to implement fine-grain admin console
> permissions. To do this, I foresee that I'll have to define resources
> that correspond one to one to objects in the Keycloak domain model.
> Specifically roles, groups, and clients. There are a few problems with
> this approach:
>
> * Some deployments of keycloak have tens of thousands of roles and
> groups or hundreds of clients
> * Synchronizing an AuthZ resource that represents a role, group, etc.
> must be done. i.e. when role/group/client is removed or renamed.
> * I'd like for policies to be able to have the real object that the
> resource represents when evaluating policies
>
> I want to suggest something similar that we've done with User Storage
> SPI in that links to AuthZ resources are a "smart" id.
>
> "f:" + providerId + ":" + resource id
>
> When evaluating policies the engine would navigate to a provider that
> could load an instance of the Resource interface. This way I could
> represent a role or group as an AuthZ resource without creating a
> resource in the Authz datamodel. Am I making sense?
>
> Bill
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list