[keycloak-dev] ResourceFactory SPI for AuthZ service

Pedro Igor Silva psilva at redhat.com
Wed Mar 22 17:45:09 EDT 2017

Btw, are you already looking this or do you want me to write it down ?

On Wed, Mar 22, 2017 at 6:08 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> I see. That makes sense. It would save a lot of work and can also be
> useful for people looking to hook their own resources without necessarily
> creating them.
> Regards.
> Pedro Igor
> On Wed, Mar 22, 2017 at 5:04 PM, Bill Burke <bburke at redhat.com> wrote:
>> I want to use AuthZ service to implement fine-grain admin console
>> permissions.  To do this, I foresee that I'll have to define resources
>> that correspond one to one to objects in the Keycloak domain model.
>> Specifically roles, groups, and clients.  There are a few problems with
>> this approach:
>>   * Some deployments of keycloak have tens of thousands of roles and
>>     groups or hundreds of clients
>>   * Synchronizing an AuthZ resource that represents a role, group, etc.
>>     must be done.  i.e. when role/group/client is removed or renamed.
>>   * I'd like for policies to be able to have the real object that the
>>     resource represents when evaluating policies
>> I want to suggest something similar that we've done with User Storage
>> SPI in that links to AuthZ resources are a "smart" id.
>> "f:" + providerId + ":" + resource id
>> When evaluating policies the engine would navigate to a provider that
>> could load an instance of the Resource interface.  This way I could
>> represent a role or group as an AuthZ resource without creating a
>> resource in the Authz datamodel.  Am I making sense?
>> Bill
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list