You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As a warning, I'm not super deep in Keycloak. Nevertheless, the way ORT Server uses Keycloak's client roles dynamically (permission_organization_$ORGID_write etc.) seems unintuitive. What ORT Server wants to do is to protect resources (organizations, products etc.), and for that Keycloak has native functionality to manage resources, policies and permissions. To me this seems like a better fit than the current method of handling authorization. There have also been some reports where large number of roles has led to performance issues (though the specific prolem may have been solved in later releases), and with the current authorization model the role count grows very large.
What is the reason for going with these dynamic roles for authorization instead of Keycloak's resource authorization service?
The text was updated successfully, but these errors were encountered:
As a warning, I'm not super deep in Keycloak. Nevertheless, the way ORT Server uses Keycloak's client roles dynamically (
permission_organization_$ORGID_write
etc.) seems unintuitive. What ORT Server wants to do is to protect resources (organizations, products etc.), and for that Keycloak has native functionality to manage resources, policies and permissions. To me this seems like a better fit than the current method of handling authorization. There have also been some reports where large number of roles has led to performance issues (though the specific prolem may have been solved in later releases), and with the current authorization model the role count grows very large.What is the reason for going with these dynamic roles for authorization instead of Keycloak's resource authorization service?
The text was updated successfully, but these errors were encountered: