[keycloak-dev] Scalability Problems with the admin console

Ioan Eugen Stan ieugen at netdava.com
Tue Jul 16 06:20:32 EDT 2019 

Hi, 

Regarding the composite role I believe there should be a limit to how many roles there can be in a composite role - for practical reasons. Not sure if this will solve the issue since there is no limit to the depth of the composition. So maybe a limit here might bein order. 

Not sure, but on the current state I think someone might be able to pull a denial of service attack using the composite roles? They might be sabotaging themselves though :). 

There might be another limit on the number of realms a single user can manage. 

Another idea:
I've noticed that some IDM ask you to select the account you wish to operate beforehand. 

Maybe this could be used to request the scopes / roles just for that realm. 

We have an api that lists the realms.
User selects the realm and asks for a token for that realm only.

We use this pattern in our app secured with keycloak.






Eugen Stan
Netdava International


	  Mesaj original  



De la: sthorger at redhat.com
Trimis: 16 iulie 2019 10:42
Către: Gregor.Tudan at cofinpro.de
Răsp. la: stian at redhat.com
Cc: keycloak-dev at lists.jboss.org
Subiect: Re: [keycloak-dev] Scalability Problems with the admin console


PRs for this would be more than welcome. It's been a while since I've
looked at this, but there's at least the two issues identified in the
issues, pagination of realms and whoami. Pagination on the realm list page
would be simple enough, but how to do it for the drop-down needs some
consideration. The whoami issue boils down to the fact that the admin can
have a composite role that adds roles for all realms, which quickly can
explode. Not sure how to solve that one as we don't really want to have
some additional admin console specific logic in how composite roles are
resolved.

On Mon, 8 Jul 2019 at 16:34, Gregor Tudan <Gregor.Tudan at cofinpro.de> wrote:

> Hi there,
>
> We are running a Keycloak instance with quiet a lot of realms (~400 and
> growing) and are starting to get into the dreaded scalability issue of the
> admin console (https://issues.jboss.org/browse/KEYCLOAK-6096). I’ve been
> watching the issue for quiet a while now and you made it clear that this
> isn’t a top priority at the moment.
>
> The issue is flagged with „Awaiting volunteers“ and I’d love to contribute.
>
> The design proposed by the reporter sounds reasonable. There would have to
> be some changes to the whoami-API (which seems to be exclusively used by
> the console). The Realms-API would need pagination, which could be kept
> backwards compatible. There’s already a page in the admin-ui for
> realm-selection that we could add pagination to:
> https://service-e.tech.visualvest.de/auth/admin/master/console/#/realms
>
> What do you think? Can I go ahead and give it a try?
>
> Thanks,
> Gregor
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list