[keycloak-user] User Attributes security and organization

[Eric B]

I just starting working with KeyCloak (3.4.3) and have been looking at the
user attributes and trying to determine how I can leverage some custom
attributes for my different clients.  Two things in particular stand out
when I look at the user attributes:

1) there is no mapping/assignment of attributes per client
2) there is no security assignment on the attributes (ex: what can be
self-administered, what is read-only, what is visible to the client, etc)

This becomes an issue when a user logs into the admin panel.  Once he is
logged in, he can essentially post a form with any attributes defined and
these will automatically be persisted in the KeyCloak DB.  While I'm not
concerned about CSRF, I am concerned about a malicious user trying to
explode by DB by submitting an extraneous number of attributes that KC will
persist.

Additionally, if I want to use a user attribute to specify some read-only
information about a user, if the user knows the attribute name, he can
override it via a form post.  So essentially, I have no way to secure the
attributes.

In a similar vein, I am a bit taken aback that all attributes are
associated to the user only and cannot be assigned to a client.  I would
like to be able to specify some client-specific attributes, and have KC
automatically filter the attributes available to a client token
accordingly.  Is this not feasible?

Are either of these functionalities implementable through some form of
customization, or are they on the roadmap for a future version?

Thanks,

Eric