Fine grained auth policy for Identity Providers, Roles and Groups

[xRodney]

Problem Statement

The PR https://github.com/adorsys/keycloak-config-cli/pull/650 added support for Client Permissions, which are defined on client "realm-management" and define permissions for various clients.

In our realm, we are using permissions, but not only for Clients but also for Identity Providers, Roles and Groups.

Similar to Clients, the Permissions and Policies to IdPs, Roles and Groups are stored in a format which includes the internal UUID of the object. This is a problem, as the UUID is not known before the object is created by the cli.

I'm attaching a realm showcasing all three types of Permissions and Roles. realm-fine-grained-perms.zip

The format seems to be like this:

Identity Provider: Key is Identity Provider internalId Resource name: idp.resource.<internalId> Policy name: <scope>.permission.idp.<internalId>

Role: Key is role id Resource name: role.resource.<role id> Policy name: <scope>.permission.<role id> (interestingly, the policy name in my export does not contain the "role." segment as one might expect)

Group: Key is group id Resource name: group.resource.<group id> Policy name: <scope>.permission.group.<group id>

Proposed Solution

The https://github.com/adorsys/keycloak-config-cli/pull/650 solved the problem for Clients, by introducing a replacement rule for Resource names:

For example, in the Cli test, there is a Resource named "client.resource.$z-fine-grained-permission-client-without-id", which is interpreted by the importer as Find a client with clientId "z-fine-grained-permission-client-without-id" and replace the variable in resource name with its internal UUID.

I am proposing to give a similar treatment to IdPs, Roles and Groups:

• idp.resource.$myoidc -> Find IdP by alias and replace with internalId
• role.resource.$test role -> Find role by name and replace with id
• group.resource.$/test group/test subgroup -> Find group by pathand replace with id (Unfortunately, Role and Group names may contain whitespaces.)

Environment

• Keycloak Version: all, tested on 17 and 15.1.1
• keycloak-config-cli Version: main
• Java Version: irrelevant

Additional information

No response

Acceptance Criteria

No response

[jkroepke]

Hi @xRodney

are you interest into provide a PR, including tests?

[xRodney]

sure, I'll give it a try