search

embesozzi / keycloak-openfga-workshop

Keycloak integration with OpenFGA (based on Zanzibar) for Fine-Grained Authorization at Scale (ReBAC)
https://medium.com/@embesozzi/keycloak-integration-with-openfga-based-on-zanzibar-for-fine-grained-authorization-at-scale-d3376de00f9a
Apache License 2.0
91 stars 26 forks source link

Question: Config Sync between fga and keycloak #8

Open marcportabellaclotet-mt opened 1 week ago

marcportabellaclotet-mt commented 1 week ago

Thank you for sharing this PoC! It's both fascinating and incredibly useful.

I have a question regarding how Keycloak roles are kept in sync with OpenFGA.

From my understanding, this PoC leverages the Keycloak listener to publish events for created or deleted roles and users to OpenFGA.

However, there could be scenarios where the sync might get out of date or missed. Could you share how you ensure that Keycloak roles and users remain consistent with OpenFGA tuples in such cases?

embesozzi commented 6 days ago

Hi @marcportabellaclotet-mt, thanks for the feedback!

Currently, the keycloak-openfga-event-publisher does not have a retry feature. I have an idea of how to implement this (with a custom transaction in order to have rollback capability), but it’s currently in the backlog.

For more complex scenarios, I’ve ended up synchronizing the events using an IGA (Identity Governance Platform) to enable retry/reconciliation of events between the identity model and the OpenFGA authorization model within the Identity Access Plus Platform.

marcportabellaclotet-mt commented 5 days ago

Thanks for sharing.

I was thinking in other scenarios, where for example, the config in openfga is deleted by mistake, failure,.. Even having a retry feature in the event publisher it won't cover this scenario.

I was thinking something like a background check, to ensure that config is in sync, similar to this

How does the reconcilliation of events work with identity access plus plaftorm?

embesozzi commented 5 days ago

I was thinking in other scenarios, where for example, the config in openfga is deleted by mistake, failure,.. Even having a retry feature in the event publisher it won't cover this scenario.

I was thinking something like a background check, to ensure that config is in sync, similar to this

Yes, implementing the ScheduledTask can also help to schedule processes for syncing the objects

How does the reconcilliation of events work with identity access plus plaftorm?

When you have an IGA platform, you can work with connectors/drivers that support syncing processes through reconciliation or live sync actions.