If anyone of the team here would be interested in doing a little coding session with me around building a keycloak event listener that uses the spicedb java client to fill up a spicedb instance with users and adds them to groups while using the keycloak UI... I started a heavy WIP branch here: https://github.com/DGuhr/keycloak-openfga-event-listener/tree/spicedb_exp and am more than happy to collaborate. - the branch is using the same principle as someone used for openFGA, i guess it'll become its own repo when i removed all the other stuff (see main branch readme for architecture overview). Imo it'd be nice to have such a connector, then you could e.g. connect keycloak to an ldap or identity provider, import the users and groups, and have the eventlistener emit events to in case of user creation/update/deletion or group creation/update/deletion and then handle the permission system in spicedb while having a good migration path for all sorts of legacy databases and existing environments, as keycloak is good in integrating all of these. ^^

be happy to offer guidance

it's a bit late here, but i'll come back to that tomorrow. will push the latest version in a few mins and then call it a day 🙂

cool

jfyi: extended it a bit, repo is now here: https://github.com/DGuhr/keycloak-spicedb-eventlistener - able to import users, groups and group-members using keycloak as provisioning frontend and kcadm.sh as provisioning tool so-far. Nice lil sideproject somehow, helps to think about the boundaries. Next i'll explore the delete mechanisms... Leading question "how easy is it with the current API to completely delete a users relations from the existing relations". Most likely at the weekend or next week, though 😉