You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello everyone, I'm starting a discussion for a feature that I think it'll be good to have in Keycloak, and it's about managing what the user is allowed to access in external applications. I mean, I've been working with my Web Applications in a way to control the feature-level visibility (UI Modules, menus, paths) per role.
For example, in a restaurant app:
Role waiter can access "Orders".
Role cook can access modules like "Orders", "Inventory".
And so on.
The thing is: How about to have a single source where Admins can define roles with their modules and assign them to users?
With this in mind I'd like to propose a Keycloak Extension (SPI) that allows:
Admins to create "modules" with certain information.
Admins to assign "modules" to roles.
Applications to retrieve modules via a REST endpoint providing:
Realm
User's id
Client's id
My design ideas are:
New entity/entities to represent this data.
RealmResourceProvider SPI to expose the necessary resources:
Another thing to mention is that we already have Realm Roles and Client Roles, so what happens with this?
I think that it could be great to allow Admins to create roles for both scenarios, and this situation can be handled by:
Modules assigned to Realm Roles can be global (e.g. Settings Module).
Modules assigned to Client Roles can be created and fetched only for the client as the owner (e.g. Orders in a Restaurant Client).
With a feature like this in Keycloak, applications could render role-specific menus or features directly from Keycloak without additional service logic.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Hello everyone, I'm starting a discussion for a feature that I think it'll be good to have in Keycloak, and it's about managing what the user is allowed to access in external applications. I mean, I've been working with my Web Applications in a way to control the feature-level visibility (UI Modules, menus, paths) per role.
For example, in a restaurant app:
waitercan access "Orders".cookcan access modules like "Orders", "Inventory".The thing is: How about to have a single source where Admins can define roles with their modules and assign them to users?
With this in mind I'd like to propose a Keycloak Extension (SPI) that allows:
My design ideas are:
RealmResourceProviderSPI to expose the necessary resources:Admin UI Extensionfor managing modules.Also, the structure of the modules could be:
[ { "id": "some-uuid", "name": "Orders", "icon": "fa-cart", "path": "orders/", "children": [ { "id": "another-uuid", "name": "Create Order", "icon": "fa-plus", "path": "new/" }, ... ] }, ... ]Another thing to mention is that we already have
Realm RolesandClient Roles, so what happens with this?I think that it could be great to allow Admins to create roles for both scenarios, and this situation can be handled by:
Realm Rolescan be global (e.g. Settings Module).Client Rolescan be created and fetched only for the client as the owner (e.g. Orders in a Restaurant Client).With a feature like this in Keycloak, applications could render role-specific menus or features directly from Keycloak without additional service logic.
Beta Was this translation helpful? Give feedback.
All reactions