[keycloak-dev] ResourceFactory SPI for AuthZ service
Pedro Igor Silva
psilva at redhat.com
Wed Mar 22 17:45:09 EDT 2017
Btw, are you already looking this or do you want me to write it down ?
On Wed, Mar 22, 2017 at 6:08 PM, Pedro Igor Silva <psilva at redhat.com> wrote:
> I see. That makes sense. It would save a lot of work and can also be
> useful for people looking to hook their own resources without necessarily
> creating them.
>
> Regards.
> Pedro Igor
>
> On Wed, Mar 22, 2017 at 5:04 PM, Bill Burke <bburke at redhat.com> wrote:
>
>> I want to use AuthZ service to implement fine-grain admin console
>> permissions. To do this, I foresee that I'll have to define resources
>> that correspond one to one to objects in the Keycloak domain model.
>> Specifically roles, groups, and clients. There are a few problems with
>> this approach:
>>
>> * Some deployments of keycloak have tens of thousands of roles and
>> groups or hundreds of clients
>> * Synchronizing an AuthZ resource that represents a role, group, etc.
>> must be done. i.e. when role/group/client is removed or renamed.
>> * I'd like for policies to be able to have the real object that the
>> resource represents when evaluating policies
>>
>> I want to suggest something similar that we've done with User Storage
>> SPI in that links to AuthZ resources are a "smart" id.
>>
>> "f:" + providerId + ":" + resource id
>>
>> When evaluating policies the engine would navigate to a provider that
>> could load an instance of the Resource interface. This way I could
>> represent a role or group as an AuthZ resource without creating a
>> resource in the Authz datamodel. Am I making sense?
>>
>> Bill
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
More information about the keycloak-dev
mailing list