Hi,
We’re trying to model a project membership and roles structure in Keycloak.
We attempted to model this as a hierarchy of groups, with a Project group containing sub groups for each project specific role. e.g. Project_A, Project_A_Owner, so that we could model individuals with roles that are only relevant to the specific group context.
Unfortunately we’re in the thousands of groups at this point, and seem to be hitting scalability limits.
On looking at the background, it seems the Keycloak developer community have debated this use case over time:
2015:
https://lists.jboss.org/pipermail/keycloak-dev/2015-November/005754.html
User has Manager role for Group A
2018:
https://lists.jboss.org/pipermail/keycloak-user/2018-July/014866.html
The problem would be that an User may be a PLAYER in a certain team/group but a COACH in a different team/group. I was thinking about creating roles like for example COACH at team1_1 and PLAYER at team_1_2. So during the permission evaulation I could parse this information. Unfortunatelly Keycloak has neither paging query support for Roles nor Groups and therefore this approach currently would not scale as you may generate a few thousand roles.
I’m hoping there has been further work on this, or at least the community have arrived at a common solution, perhaps via an external SPI based integration, or through extending the Keycloak data model, or… fingers crossed…
Nick
