p2-inc / keycloak-orgs

Single realm, multi-tenancy for SaaS apps
https://phasetwo.io
Other
415 stars 73 forks source link

Dyanmic authorization support #246

Closed youssefbennour closed 5 months ago

youssefbennour commented 5 months ago

I have a use case where I want to let admins in my organization create roles dynamically from my front-end application and map pre-defined application permissions to those roles. It seems this is not supported currently since, I'm not able to associate attributes with organization roles. 1 - Do you have any other workaround to implement this feature ? 2 - Are there any reason why, organization roles didn't include attributes (like client roles) ? At first, I was going to implement this cross-user multi-tenancy scenario by myself with keycloak (with those clients and groups hacks), after I found out about your extension I was so happy that I won't do that. Sadly now I'm afraid that if I don't have any workaround with this issue of dynamic authorization, I'll have to build something on my own.

xgp commented 5 months ago

I have a use case where I want to let admins in my organization create roles dynamically from my front-end application and map pre-defined application permissions to those roles.

A user with the organization roles manage-roles can do that.

It seems this is not supported currently since, I'm not able to associate attributes with organization roles.

I don't understand why attributes are related to an admin being able to create roles.

Sadly now I'm afraid that if I don't have any workaround with this issue of dynamic authorization, I'll have to build something on my own.

Keycloak 25 itself now has an organization feature, largely copied from this one. If you're building a new project, I'd suggest starting with that https://www.keycloak.org/docs/latest/server_admin/index.html#_managing_organizations_

youssefbennour commented 5 months ago

I don't understand why attributes are related to an admin being able to create roles.

Probably I didn't explain enough, I want end-users to be able to create roles and to choose which permissions they want to include in each role. So I wanted to use role attributes as permissions. But anyways I'll check keycloak organization feature.