Question: Config Sync between fga and keycloak #8
Comments
|
Hi @marcportabellaclotet-mt, thanks for the feedback! Currently, the keycloak-openfga-event-publisher does not have a retry feature. I have an idea of how to implement this (with a custom transaction in order to have rollback capability), but it’s currently in the backlog. For more complex scenarios, I’ve ended up synchronizing the events using an IGA (Identity Governance Platform) to enable retry/reconciliation of events between the identity model and the OpenFGA authorization model within the Identity Access Plus Platform. |
|
Thanks for sharing. I was thinking in other scenarios, where for example, the config in openfga is deleted by mistake, failure,.. Even having a retry feature in the event publisher it won't cover this scenario. I was thinking something like a background check, to ensure that config is in sync, similar to this How does the reconcilliation of events work with identity access plus plaftorm? |
Yes, implementing the
When you have an IGA platform, you can work with connectors/drivers that support syncing processes through reconciliation or live sync actions. |
Thank you for sharing this PoC! It's both fascinating and incredibly useful.
I have a question regarding how Keycloak roles are kept in sync with OpenFGA.
From my understanding, this PoC leverages the Keycloak listener to publish events for created or deleted roles and users to OpenFGA.
However, there could be scenarios where the sync might get out of date or missed. Could you share how you ensure that Keycloak roles and users remain consistent with OpenFGA tuples in such cases?
The text was updated successfully, but these errors were encountered: