[DRAFT] Resources synchronization between modules and Keycloak during the application revoke

 

Problem Statement

During the application revoke operation with purge=true, mgr-tenant-entitlement removes resources in the Keycloak. It also removes all related entities by cascade. It works for most cases except for module-created users and roles. mod-roles-keycloak and default roles are good examples of such problems. After the revoke operation, MTE removes all resources in Keycloak, and mod-roles-keycloak purges its database, but roles and users still exist in Keycloak. There are stores on the realm level in Keycloak.

Research Questions

  1. Which component should be responsible for cleaning or syncing data between the module and Keycloak?

  2. mod-roles-keycloak can clean data in keycloak during the tenant disable operation. MTE can clean data in the keycloak realm during the revoke operation, but MTE does not know anything about default roles. How do we resolve this case?

Deliverables

Spike results described here

Option 1

Pros

Cons

Option 2

Pros

Cons

Conclusion

Summarize the results of the spike, key findings, and any recommendations or next steps

Spike Status: Completed IN Progress On hold

Attachments

Include any relevant attachments, such as documents, diagrams, or presentations that support the spike