Open boehlke opened 1 month ago
Another issue came up that is also relevant: The superadmin account (user ID 1) needs a proper replacement. A keycloak openslides user has to be marked a superadmin somehow. Superadmin powers are given via the user's organization_management_level attribute An approach to be discussed is reflecting the management level as keycloak user role...
Abstract
In the current implementation, the user lives as a model in the datastore. The auth service and the backend both access to the same user model.
In the new setup with keycloak, clarity is required about where the user should live. Especially it needs to be specified, how users should be synchronized.
The best case would be circumventing synchronization
User data
Most of the user's data is contained in the user related datastore models. Keycloak is responsible for authentication related data. Coming from the auth service user model (https://github.com/OpenSlides/openslides-auth-service/blob/main/auth/src/core/models/user.ts), there are the following auth related properties:
There are discussions to import meeting participation data from the IdP.
Use-Cases/Features
Migration
User auth data needs to be migrated from the datastore user model to keycloak.