[keycloak-dev] ResourceFactory SPI for AuthZ service

Bill Burke bburke at redhat.com
Wed Mar 22 18:52:47 EDT 2017 

I need it to move forward.  You or me.  I don't care.


On 3/22/17 5:45 PM, Pedro Igor Silva wrote:
> Btw, are you already looking this or do you want me to write it down ?
>
> On Wed, Mar 22, 2017 at 6:08 PM, Pedro Igor Silva <psilva at redhat.com 
> <mailto:psilva at redhat.com>> wrote:
>
>     I see. That makes sense. It would save a lot of work and can also
>     be useful for people looking to hook their own resources without
>     necessarily creating them.
>
>     Regards.
>     Pedro Igor
>
>     On Wed, Mar 22, 2017 at 5:04 PM, Bill Burke <bburke at redhat.com
>     <mailto:bburke at redhat.com>> wrote:
>
>         I want to use AuthZ service to implement fine-grain admin console
>         permissions.  To do this, I foresee that I'll have to define
>         resources
>         that correspond one to one to objects in the Keycloak domain
>         model.
>         Specifically roles, groups, and clients.  There are a few
>         problems with
>         this approach:
>
>           * Some deployments of keycloak have tens of thousands of
>         roles and
>             groups or hundreds of clients
>           * Synchronizing an AuthZ resource that represents a role,
>         group, etc.
>             must be done.  i.e. when role/group/client is removed or
>         renamed.
>           * I'd like for policies to be able to have the real object
>         that the
>             resource represents when evaluating policies
>
>         I want to suggest something similar that we've done with User
>         Storage
>         SPI in that links to AuthZ resources are a "smart" id.
>
>         "f:" + providerId + ":" + resource id
>
>         When evaluating policies the engine would navigate to a
>         provider that
>         could load an instance of the Resource interface. This way I could
>         represent a role or group as an AuthZ resource without creating a
>         resource in the Authz datamodel.  Am I making sense?
>
>         Bill
>
>         _______________________________________________
>         keycloak-dev mailing list
>         keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-dev
>         <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>
>

More information about the keycloak-dev mailing list