[keycloak-dev] ResourceFactory SPI for AuthZ service

Pedro Igor Silva psilva at redhat.com
Wed Mar 22 17:08:55 EDT 2017

I see. That makes sense. It would save a lot of work and can also be useful
for people looking to hook their own resources without necessarily creating

Pedro Igor

On Wed, Mar 22, 2017 at 5:04 PM, Bill Burke <bburke at redhat.com> wrote:

> I want to use AuthZ service to implement fine-grain admin console
> permissions.  To do this, I foresee that I'll have to define resources
> that correspond one to one to objects in the Keycloak domain model.
> Specifically roles, groups, and clients.  There are a few problems with
> this approach:
>   * Some deployments of keycloak have tens of thousands of roles and
>     groups or hundreds of clients
>   * Synchronizing an AuthZ resource that represents a role, group, etc.
>     must be done.  i.e. when role/group/client is removed or renamed.
>   * I'd like for policies to be able to have the real object that the
>     resource represents when evaluating policies
> I want to suggest something similar that we've done with User Storage
> SPI in that links to AuthZ resources are a "smart" id.
> "f:" + providerId + ":" + resource id
> When evaluating policies the engine would navigate to a provider that
> could load an instance of the Resource interface.  This way I could
> represent a role or group as an AuthZ resource without creating a
> resource in the Authz datamodel.  Am I making sense?
> Bill
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list