https://authzed.com logo
Title
d

dguhr-rh

01/18/2023, 12:45 PM
If anyone of the team here would be interested in doing a little coding session with me around building a keycloak event listener that uses the spicedb java client to fill up a spicedb instance with users and adds them to groups while using the keycloak UI... I started a heavy WIP branch here: https://github.com/DGuhr/keycloak-openfga-event-listener/tree/spicedb_exp and am more than happy to collaborate. - the branch is using the same principle as someone used for openFGA, i guess it'll become its own repo when i removed all the other stuff (see main branch readme for architecture overview). Imo it'd be nice to have such a connector, then you could e.g. connect keycloak to an ldap or identity provider, import the users and groups, and have the eventlistener emit events to in case of user creation/update/deletion or group creation/update/deletion and then handle the permission system in spicedb while having a good migration path for all sorts of legacy databases and existing environments, as keycloak is good in integrating all of these. ^^
the branch includes a docker-compose that currently spins up keycloak on postgres, with an eventlistener installed that - currently - writes tuples to a file (or kafka, commented out for debugging purposes) and spicedb based on postgres (tried crdb cluster first, but the cluster members didnt find each other)
and also the spicedb java client is already added as dependency, but not used so far
next step would be to rewrite the parser to not parse to openFGA JSON format but to parse what keycloak gives us into spicedb-usable data and send it over the line using the java-client
but.. for now just a small sideproject 🙂
j

Joey

01/18/2023, 3:51 PM
be happy to offer guidance
d

dguhr-rh

01/18/2023, 4:46 PM
it's a bit late here, but i'll come back to that tomorrow. will push the latest version in a few mins and then call it a day 🙂

https://youtu.be/WarFAe8xkdA

- video of where I am so far.. very "in the beginning" but at least a basic connectivity is there. should be available in HD (recommended) in around 45 minutes. Have a nice afternoon, germany closes their laptops now 😉 @Joey I'll pm you tomorrow for further orga if still interested 🙂
ok, already available in HD. nvm.
j

Joey

01/18/2023, 6:04 PM
cool
and yeah, ping me for any questions
d

dguhr-rh

01/27/2023, 9:48 AM
jfyi: extended it a bit, repo is now here: https://github.com/DGuhr/keycloak-spicedb-eventlistener - able to import users, groups and group-members using keycloak as provisioning frontend and kcadm.sh as provisioning tool so-far. Nice lil sideproject somehow, helps to think about the boundaries. Next i'll explore the delete mechanisms... Leading question "how easy is it with the current API to completely delete a users relations from the existing relations". Most likely at the weekend or next week, though 😉