[keycloak-user] resource ids

Pedro Igor Silva psilva at redhat.com
Wed Oct 23 18:26:41 EDT 2019


On Wed, Oct 23, 2019 at 1:52 PM Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Oh, I understand. So uniqueness requirements are like that:
> Unique: _id
> Unique: owner + name
>
> Is it correct?
>

Correct


> In my app, a same owner can have resources with the same ID, provided that
> they have different types.
> e.g. a user "Paul" can have a car named "Megane" and a child named
> "Megane" (sorry for that example).
> I don't have resources belonging to the resource server (only to users).
>
> Anyway, I don't understand the reason behind the uniqueness requirement
> for owner+name? Isn't the _id sufficient?
>

IIRC, that is because we rely on unique names during the pre-evaluation
phase, when preparing the permissions to be evaluated. I agree we can
review that and possibly change.


>
> On Wed, Oct 23, 2019 at 6:42 PM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hi Corentin,
>>
>> The name is unique for a same client and owner. Different owners can have
>> resources with a same name. Or are you talking about resources owned by the
>> resource server itself ?
>>
>> On Wed, Oct 23, 2019 at 10:25 AM Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Hi guys,
>>> I was wondering why BOTH resource name and id have to be unique.
>>> Wouldn't only unique ID be enough? Why also name?
>>> This is causing me trouble because my users can choose the resource name.
>>>
>>> Another problem is that for me different resource types can have the
>>> same ID.
>>> e.g. a resource of type A can have the same ID than a resource of type B.
>>> How can that be solved in Keycloak? By prefixing both ID and name with
>>> the type?
>>> Thanks
>>>
>>>
>>> On Tue, Jul 2, 2019 at 10:28 PM Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Hi Pedro,
>>>> What I wondered is why the name (beside the ID) should be unique?
>>>> Regarding type, my point was that in my app resources with different
>>>> types can have the same ID.
>>>>
>>>> On Thu, Jun 27, 2019 at 2:53 PM Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> Hi Corentin,
>>>>>
>>>>> One of the main reasons to allow setting the ID is to make easier to
>>>>> map resources managed by Keycloak to those you are protecting in your app.
>>>>>
>>>>> The IDs must be unique.
>>>>>
>>>>> It is not clear to me why the type is not enough?
>>>>>
>>>>> On Thu, Jun 27, 2019 at 5:28 AM Corentin Dupont <
>>>>> corentin.dupont at gmail.com> wrote:
>>>>>
>>>>>> Hi guys,
>>>>>> I discovered that you can provide your own id when creating resources:
>>>>>>
>>>>>> curl -X POST "
>>>>>> http://localhost:8080/auth/realms/waziup/authz/protection/resource_set"
>>>>>> -H
>>>>>> "Authorization: Bearer $CLIENTTOKEN" -H "Content-Type:
>>>>>> application/json" -d
>>>>>> '{*"_id": "123-456"*, "type": "test", "name":"test",
>>>>>>
>>>>>> "scopes":["sensors:create","sensors:view","sensors:update","sensors:delete"],"owner":"cdupont",
>>>>>> "ownerManagedAccess": true}'
>>>>>>
>>>>>> This is very practical for synchronizing the resources with my own
>>>>>> database.
>>>>>> After some investigation, I found:
>>>>>> - the ID should be unique
>>>>>> - the name should be unique
>>>>>>
>>>>>> Is that correct? The resource type is not used in the unicity.
>>>>>> In my application database, resources with different types are stored
>>>>>> in
>>>>>> different collections, so two resources with different types *can*
>>>>>> have the
>>>>>> same ID.
>>>>>> How do you suggest to solve this in Keycloak? Providing a keycloak ID
>>>>>> of
>>>>>> the form <type>-<ID> for example? e.g. sensor-123 and project-123
>>>>>> would not
>>>>>> collide.
>>>>>>
>>>>>> Cheers
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>


More information about the keycloak-user mailing list