[keycloak-user] Migrating existing system vs. resource mangement

Yannick Lazzari yannick.lazzari at gmail.com
Tue May 9 06:30:45 EDT 2017 

Hi,

We're currently evaluating Keycloak to migrate an existing system. For the
sake of the discussion, let's use the photoz example and pretend we are an
online pictures hosting service and that we have millions of albums,
belonging to thousands of users (users typically have more than one album,
so we have more albums than users).

If we were to implement the same permissions and wanted to constraint the
deletion of an album to its owner, does that mean that we would first need
to "sync" all our existing albums in Keycloak by "pushing" a
ResourceRepresentation for each of them, so that we can then have a policy
that uses the owner?

And what if we actually have dozens of other resource types for which we
want to enforce similar "resource owner" policies, each of them having
millions of records and living in different databases? Is it also expected
for all of them to do the same, essentially maintaining duplicates (in some
form) of all existing records in our system inside Keycloak's single
database, just so that we can use the resource owner in some policies?

We understand the simple photoz example, for something that starts from
scratch and with little data, but we have a hard time seeing how such an
approach can scale well for an existing system with millions of resources
of different types. Or perhaps we're completely missing the point or an
important piece of the puzzle.

Instead of having to push resources to Keycloak, is there a way to provide
arbitrary attributes that would be stored in the evaluation context of
policies and made available for the duration of a single authorization
request? For instance, when authorizing access to /album/123, could we tell
Keycloak that the owner of this album is actually user id 456, have it
stored in some attribute in the evaluation context and then use that
attribute in a policy (whether it's Javascript or Drools), along with some
other arbitrary attributes? We've seen discussions around the usage of
custom user claims, but this does not really seem to apply here since those
are not resource-specific. Or would there be a way to "extend" Keycloak and
use a hook that is provided that would allow us to somehow add this
information to the evaluation context?

Looking for help to see how we would start tackling such a problem, if we
were to adopt Keycloak.

Thank you very much for any insight anyone can provide!

Yannick

More information about the keycloak-user mailing list