This is kind of close to asking about an opinion but I'm going to give it a shot nonetheless.
What I need to do is implement authorization in a system where users create the resources dynamically and can grant access to the whole or part of the resource. I've done similar stuff earlier and just implemented the authorization as an integral part of the system. What makes this time different is the dynamic part but also that we want to provide SSO and so on, that's why I started looking into KeyCloak. I found the following in regards to KeyCloak that I thought that I could utilize:
Resource
A resource represents a protected object or entity within an application that you want to secure.
Scope
A scope represents a specific permission or action that can be performed on a resource. Examples of scopes: read write delete update
So, here's an example of how I thought to implement the authorization:
- An admin user (A) creates entity E.
- The system creates a resource R in KeyCloak.
- A grants access to scopes S_1 - S_n to a specified user, group or role.
As I understand this, this is a valid pattern of implementing it in KeyCloak. But I do have a few questions/doubts.
- Is it feasible to dynamically create dynamic resources in KeyCloak?
- There won't be that many resources in the system, but is there any practical limit in KeyCloak to the number of resources it can handle?
- Has anyone tried to do it this way?
Grateful for all input!
