[keycloak-dev] Possible feature: role attributes

Stian Thorgersen sthorger at redhat.com
Mon Sep 10 03:22:07 EDT 2018


Sounds good. I can't think of anything that you've missed from the list.

On Fri, 31 Aug 2018 at 15:46, Schuster Sebastian (INST/ESY1) <
Sebastian.Schuster at bosch-si.com> wrote:

> All right. I would like to create a prototype for this. I would take
> inspiration from the way custom group attributes are currently implemented.
>
> I guess changes would be necessary in the following areas:
>
> ·         DB schema
>
> ·         Persistence layer
>
> ·         Caching layer
>
> ·         CRUD API
>
> ·         Admin console
>
> ·         Admin CLI
>
> ·         Java client
>
> ·         Admin events
>
> Anything I missed?
>
>
>
> Thanks and best regards,
>
> Sebastian
>
>
>
> Mit freundlichen Grüßen / Best regards
>
>
> *Dr.-Ing. Sebastian Schuster *
> Engineering and Support (INST/ESY1)
> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> GERMANY | www.bosch-si.com
> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
> Sebastian.Schuster at bosch-si.com
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
> Stefan Ferber, Michael Hahn
>
>
>
> *From:* Stian Thorgersen <sthorger at redhat.com>
> *Sent:* Montag, 27. August 2018 13:49
> *To:* Schuster Sebastian (INST/ESY1) <Sebastian.Schuster at bosch-si.com>
> *Cc:* keycloak-dev <keycloak-dev at lists.jboss.org>
> *Subject:* Re: [keycloak-dev] Possible feature: role attributes
>
>
>
> I don't think we need to consider adding role attributes to the token.
> That would very quickly bloat tokens.
>
>
>
> I would like to see a bit more general use of role attributes as part of
> incorporating such a feature. Otherwise it would end up being a rather
> hidden feature. Some ideas I have in mind:
>
>
>
> * Ability to do crud of role attributes in admin console
>
> * Ability to query for roles based on attributes
>
>
>
> For future work it would be great to have attributes on everything. That
> would allow us to do something like OpenShift `oc` does. Where you're able
> to search and delete everything based on attributes. One nice use-case here
> is that you can tag all clients, roles, etc.. that belong to a deployment
> (a group of apps and services) and be able to view everything that is
> related to the deployment in Keycloak.
>
>
>
> On Mon, 27 Aug 2018 at 13:32, Schuster Sebastian (INST/ESY1) <
> Sebastian.Schuster at bosch-si.com> wrote:
>
> Hi everybody,
>
> We have a use case where we would like to store additional
> meta-information for roles. This come from our IAM-requirements, that say
> there is a single responsible person for a role or that roles give access
> to data with different classifications. One way to store this kind of
> information would be to introduce role attributes to client and realm
> roles, basically similar to user or group attributes.
>
> For us, it would be sufficient to have this information purely as
> metadata, i.e. we would only read it through the audit log to inform the
> responsible person about role assignments if a role with a certain
> classification is assigned. In contrast to that, you can add group und user
> attributes to a token using user attribute mappers and the client
> application can extract this information from the token and act on it.
>
> WDYT? Does anybody else have similar requirements? Would you need role
> custom attributes also in the token? I can imagine that it gets kind of
> difficult to identify where attributes come from, once there are user,
> group, and role attributes, possibly with inheritance/composition.
>
> Best regards,
> Sebastian
>
> Mit freundlichen Grüßen / Best regards
>
> Dr.-Ing. Sebastian Schuster
>
> Engineering and Support (INST/ESY1)
> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> GERMANY | www.bosch-si.com<http://www.bosch-si.com>
> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
> Sebastian.Schuster at bosch-si.com<mailto:Sebastian.Schuster at bosch-si.com>
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
> Stefan Ferber, Michael Hahn
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>


More information about the keycloak-dev mailing list