Open MGLL opened 1 month ago
Hi @xgp,
Here is the initial proposition regarding organization-tier discussed in issues/148. It is inspired from Keycloak Group role mapping as it is something similar.
I set it as draft for now so you can go through and already provide some feedback or request changes.
Especially about expiration date of tiers if it is fine for you.
@xgp I was going through the Keycloak Dev Day video and you mentioned that relationships with existing entities / models are hard. With this PR, I'm actually creating a relationship with Keycloak Roles.
So, I'm wondering, should I create a proper _ext_p2tier entity / table to avoid this relationship ? (I would still map the assigned tier on the org to realm_access of tokens as it is what applications checks for permissions).
Let me know.
@MGLL The issue that I was referencing in the talk was the idea that you can't (easily) enhance the entities and models on the Keycloak side. I don't think there's a problem to create a relationship with Keycloak Roles.
Features:
Capacity to define tiers (with or without an expiration date) on organization which are mapped to realm_access.roles token claims with token mappers.
Based on Keycloak Roles, currently only Realm Roles but could be extended to Client Roles.
Endpoints and logic inspired from Keycloak Group.
Use Case:
This feature may be useful in a SaaS Platform context with multiple tiers where you want to leverage Keycloak roles for that (and eventually Authorization with Policies).
Endpoints:
...realms/{REALM}/orgs/{ORG-ID}/role-mappings
...realms/{REALM}/orgs/{ORG-ID}/role-mappings/realm
...realms/{REALM}/orgs/{ORG-ID}/role-mappings/realm
More informations available in
organization-tiers.md
documentation.