[keycloak-dev] Possible feature: role attributes

Schuster Sebastian (INST/ESY1) Sebastian.Schuster at bosch-si.com
Fri Aug 31 09:46:12 EDT 2018 

All right. I would like to create a prototype for this. I would take inspiration from the way custom group attributes are currently implemented.
I guess changes would be necessary in the following areas:

·         DB schema

·         Persistence layer

·         Caching layer

·         CRUD API

·         Admin console

·         Admin CLI

·         Java client

·         Admin events
Anything I missed?

Thanks and best regards,
Sebastian

Mit freundlichen Grüßen / Best regards

Dr.-Ing. Sebastian Schuster

Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com<mailto:Sebastian.Schuster at bosch-si.com>

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn



From: Stian Thorgersen <sthorger at redhat.com>
Sent: Montag, 27. August 2018 13:49
To: Schuster Sebastian (INST/ESY1) <Sebastian.Schuster at bosch-si.com>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org>
Subject: Re: [keycloak-dev] Possible feature: role attributes

I don't think we need to consider adding role attributes to the token. That would very quickly bloat tokens.

I would like to see a bit more general use of role attributes as part of incorporating such a feature. Otherwise it would end up being a rather hidden feature. Some ideas I have in mind:

* Ability to do crud of role attributes in admin console
* Ability to query for roles based on attributes

For future work it would be great to have attributes on everything. That would allow us to do something like OpenShift `oc` does. Where you're able to search and delete everything based on attributes. One nice use-case here is that you can tag all clients, roles, etc.. that belong to a deployment (a group of apps and services) and be able to view everything that is related to the deployment in Keycloak.

On Mon, 27 Aug 2018 at 13:32, Schuster Sebastian (INST/ESY1) <Sebastian.Schuster at bosch-si.com<mailto:Sebastian.Schuster at bosch-si.com>> wrote:
Hi everybody,

We have a use case where we would like to store additional meta-information for roles. This come from our IAM-requirements, that say there is a single responsible person for a role or that roles give access to data with different classifications. One way to store this kind of information would be to introduce role attributes to client and realm roles, basically similar to user or group attributes.

For us, it would be sufficient to have this information purely as metadata, i.e. we would only read it through the audit log to inform the responsible person about role assignments if a role with a certain classification is assigned. In contrast to that, you can add group und user attributes to a token using user attribute mappers and the client application can extract this information from the token and act on it.

WDYT? Does anybody else have similar requirements? Would you need role custom attributes also in the token? I can imagine that it gets kind of difficult to identify where attributes come from, once there are user, group, and role attributes, possibly with inheritance/composition.

Best regards,
Sebastian

Mit freundlichen Grüßen / Best regards

Dr.-Ing. Sebastian Schuster

Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com><http://www.bosch-si.com>
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com<mailto:Sebastian.Schuster at bosch-si.com><mailto:Sebastian.Schuster at bosch-si.com<mailto:Sebastian.Schuster at bosch-si.com>>

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn



_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list