Awesome
keycloak-spicedb-eventlistener
An event listener for Keycloak, creating spiceDB relationship data for keycloak users and groups by listening on the events in keycloak and using the spiceDB java client.
Inspired by this implementation for openFGA
:warning::warning::warning: warning This is a highly experimental WIP PoC for now, so use at your own risk and definitely nowhere near production. It may likely be that it gets abandoned shortly. :warning: :warning: :warning:
try it out:
- mvn clean install
- docker compose up
- wait until the custom entrypoint script runs (users are automatically provisioned using kcadm.sh) - watch the logs :)
- use e.g. zed (the spicedb command line tool) to connect to the spiceDB instance and see that relations are written containing the username (form: userid_username) ->
zed context set first-dev-context :50051 "abcdefgh" --insecure
followed byzed relationship read tenant
should output 3 members of 2 tenants (12345, 23456), andzed relationship read group
should show a <groupId>_<name> pair with parent tenant 12345 (derived from the creating user inside keycloak, added an org_id to the admin account as part of the script) as defined ininitialize-poc.sh
.
example zed output:
Using ChatGPT to get rid of annoying tasks
read CHATGPT_GENERATOR.md
TODO:
much more. as said highly experimental, dunno where to go with this, but it's fun ;)
Done
- extended to (experimentally) handle "add group" events
- extended to (experimentally) handle "group membership" events
- using ChatGPT to create myself a user generation script for keycloak. More about that here
- refactor initial schema creation, use spicedb and schema.yml directly instead of doing it codewise.