Keycloak UMA without storing resource ID and owner ID in application

Drane · July 20, 2021, 12:12pm

Hello all,

One of the advantages of using an IAM system like keycloak is delegating complex security to an external system.

But when I look at the keycloak UMA photoz example, I see an example where you need to add 2 columns to your resource DB table:

So the userid (owner) and externalid (id of the resource inside keycloak) are added to the DB table in which the resource resides. This seems kind of intrusive.

Isn’t it possible to use the resource URI to dynamically fetch the owner (=userid) and resource id (=externalid), to handle the same logic?

This seems less intrusive. Though I can image this causes a serious performance hit.

All feedback welcome.

Best wishes,

Jochen

Drane · July 22, 2021, 1:03pm

I already managed to use the keycloak client to get external id and owner id based on the resource uri instead of storing them in the DB. Definitely less intrusive as you don’t need any extra DB columns.

But I wonder if the performance of the solution would be acceptable.

Topic		Replies	Views
Keycloack user has a one-to-many relationship Getting advice	8	4332	April 24, 2020
External id is removed from KeycloakId key while login using Google IdP Extending the server authentication , identity-brokering , user-federation	3	1751	June 7, 2021
Keycloak Users Management Getting advice	3	842	February 23, 2021
How do i replace user id of keycloak , which is UUID with IDP's user email address	4	7249	August 5, 2021
How does the background inner working of the UserStorageProvider works? Getting advice authentication	1	290	February 6, 2023

Keycloak UMA without storing resource ID and owner ID in application

Related Topics