[keycloak-dev] Possible feature: role attributes

Stian Thorgersen sthorger at redhat.com
Mon Aug 27 07:49:23 EDT 2018


I don't think we need to consider adding role attributes to the token. That
would very quickly bloat tokens.

I would like to see a bit more general use of role attributes as part of
incorporating such a feature. Otherwise it would end up being a rather
hidden feature. Some ideas I have in mind:

* Ability to do crud of role attributes in admin console
* Ability to query for roles based on attributes

For future work it would be great to have attributes on everything. That
would allow us to do something like OpenShift `oc` does. Where you're able
to search and delete everything based on attributes. One nice use-case here
is that you can tag all clients, roles, etc.. that belong to a deployment
(a group of apps and services) and be able to view everything that is
related to the deployment in Keycloak.

On Mon, 27 Aug 2018 at 13:32, Schuster Sebastian (INST/ESY1) <
Sebastian.Schuster at bosch-si.com> wrote:

> Hi everybody,
>
> We have a use case where we would like to store additional
> meta-information for roles. This come from our IAM-requirements, that say
> there is a single responsible person for a role or that roles give access
> to data with different classifications. One way to store this kind of
> information would be to introduce role attributes to client and realm
> roles, basically similar to user or group attributes.
>
> For us, it would be sufficient to have this information purely as
> metadata, i.e. we would only read it through the audit log to inform the
> responsible person about role assignments if a role with a certain
> classification is assigned. In contrast to that, you can add group und user
> attributes to a token using user attribute mappers and the client
> application can extract this information from the token and act on it.
>
> WDYT? Does anybody else have similar requirements? Would you need role
> custom attributes also in the token? I can imagine that it gets kind of
> difficult to identify where attributes come from, once there are user,
> group, and role attributes, possibly with inheritance/composition.
>
> Best regards,
> Sebastian
>
> Mit freundlichen Grüßen / Best regards
>
> Dr.-Ing. Sebastian Schuster
>
> Engineering and Support (INST/ESY1)
> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> GERMANY | www.bosch-si.com<http://www.bosch-si.com>
> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
> Sebastian.Schuster at bosch-si.com<mailto:Sebastian.Schuster at bosch-si.com>
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
> Stefan Ferber, Michael Hahn
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev


More information about the keycloak-dev mailing list