[keycloak-dev] Filtering in New Account Console

Stian Thorgersen sthorger at redhat.com
Thu Oct 3 05:02:27 EDT 2019 

Simply returning all clients is not going to work for a few reasons:

* It will return clients that are not applications/UIs
* It can return applications the user doesn't have access to
* There can be thousands (in fact we know about users with 10K+ clients)

That means we need the following:

1) Limit clients returned by the REST endpoint to only those that are
indeed applications/UIs
2) Limit applications to those the user has access to
3) Support filtering and pagination (even though 1 and 2 most likely will
significantly reduce the number of applications to 10s of applications, we
still need to have pagination and filtering support)

Some ideas on how we can achieve the above:

1) Figuring out what is indeed applications/UIs

List applications that are added to open sessions, including the below:

* All OIDC clients where: client.baseUrl != null && !client.bearerOnly
* All SAML clients where: client.baseUrl != null**

This will make sure we only include applications where the user can
actually click on the application in the list to go to the application.

** Not sure if there's anything in addition to check for SAML

2) Limit applications to those the user has access to

Not sure about this one as we don't really have an easy way to figure out
if a user has access the an application or not. One idea would be to only
include clients where user has at least one client role. Even if the
application doesn't use client roles directly a "dummy" role can be created
for this purpose by admins/developers.

3) Pagination and filtering

All endpoints should support pagination and filtering by design. Pagination
and filtering should be server-side (REST endpoint should provide according
to our REST guidelines).

On Wed, 2 Oct 2019 at 19:11, Stan Silvert <ssilvert at redhat.com> wrote:

> Specifically, we need to discuss filtering and pagination as it relates
> to the "Applications" page:
>
> https://marvelapp.com/c90dfi0/screen/59942290
>
> The current design allows filtering by name and application type.
>
> However, Stian has pointed out that some customers will have thousands
> of clients.  So this design might be unworkable.
>
> I don't want to go too far into the weeds right now because I want to
> understand the problem better first.
>
> What is the use case when customers have many, many clients?
>
> How common is it to have many, many clients for a single user?
>
> What do those clients look like?
>
> What could we use to filter on?  The information we currently have on
> the client side looks something like what you see here:
>
> https://marvelapp.com/c90dfi0/screen/59942292
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list