Closed MGLL closed 1 month ago
MGLL
commented
5 months ago Hi @xgp,
Here is the initial proposition regarding organization-tier discussed in issues/148. It is inspired from Keycloak Group role mapping as it is something similar.
I set it as draft for now so you can go through and already provide some feedback or request changes.
Especially about expiration date of tiers if it is fine for you.
MGLL
commented
5 months ago @xgp I was going through the Keycloak Dev Day video and you mentioned that relationships with existing entities / models are hard. With this PR, I'm actually creating a relationship with Keycloak Roles.
So, I'm wondering, should I create a proper _ext_p2tier entity / table to avoid this relationship ? (I would still map the assigned tier on the org to realm_access of tokens as it is what applications checks for permissions).
Let me know.
xgp
commented
5 months ago @MGLL The issue that I was referencing in the talk was the idea that you can't (easily) enhance the entities and models on the Keycloak side. I don't think there's a problem to create a relationship with Keycloak Roles.
MGLL
commented
4 months ago Hello @xgp, I would like to know if you are still interested in that capability or if I should close it and keep it as a customization on my side Thank you
xgp
commented
4 months ago @MGLL Thanks for the reminder. We are still interested, but have just been very busy with other work. I will try to get to this in the next week. Apologies for the long delay.
MGLL
commented
4 months ago No problem, I just wanted to verify.
Let me know regarding implementation if you want a different approach as it was inspired by KC Group (to add / remove roles).
I was mixed with this approach or do completely different api endpoints with /tiers.
MGLL
commented
1 month ago Gonna close for now, I will see later to get back to you. Currently we use it on our side
xgp
commented
1 month ago @MGLL Thanks again for submitting this. We've had time to review and talk to a few customers using it. There isn't sufficient interest at this time to merge into main, but we'll look again in the future.
Features:
Capacity to define tiers (with or without an expiration date) on organization which are mapped to realm_access.roles token claims with token mappers.
Based on Keycloak Roles, currently only Realm Roles but could be extended to Client Roles.
Endpoints and logic inspired from Keycloak Group.
Use Case:
This feature may be useful in a SaaS Platform context with multiple tiers where you want to leverage Keycloak roles for that (and eventually Authorization with Policies).
Endpoints:
...realms/{REALM}/orgs/{ORG-ID}/role-mappings...realms/{REALM}/orgs/{ORG-ID}/role-mappings/realm...realms/{REALM}/orgs/{ORG-ID}/role-mappings/realmMore informations available in
organization-tiers.mddocumentation.