Keycloak UMA without storing resource ID and owner ID in application

Hello all,

One of the advantages of using an IAM system like keycloak is delegating complex security to an external system.

But when I look at the keycloak UMA photoz example, I see an example where you need to add 2 columns to your resource DB table:

So the userid (owner) and externalid (id of the resource inside keycloak) are added to the DB table in which the resource resides. This seems kind of intrusive.

Isn’t it possible to use the resource URI to dynamically fetch the owner (=userid) and resource id (=externalid), to handle the same logic?

This seems less intrusive. Though I can image this causes a serious performance hit.

All feedback welcome. :blush:

Best wishes,


I already managed to use the keycloak client to get external id and owner id based on the resource uri instead of storing them in the DB. Definitely less intrusive as you don’t need any extra DB columns.

But I wonder if the performance of the solution would be acceptable.