[DRAFT] Resources synchronization between modules and Keycloak during the application revoke
Problem Statement
During the application revoke operation with purge=true, mgr-tenant-entitlement removes resources in the Keycloak. It also removes all related entities by cascade. It works for most cases except for module-created users and roles. mod-roles-keycloak and default roles are good examples of such problems. After the revoke operation, MTE removes all resources in Keycloak, and mod-roles-keycloak purges its database, but roles and users still exist in Keycloak. There are stores on the realm level in Keycloak.
Research Questions
Which component should be responsible for cleaning or syncing data between the module and Keycloak?
mod-roles-keycloak can clean data in keycloak during the tenant disable operation. MTE can clean data in the keycloak realm during the revoke operation, but MTE does not know anything about default roles. How do we resolve this case?
Deliverables
Spike results described here
Option 1
Pros
Cons
Option 2
Pros
Cons
Conclusion
Summarize the results of the spike, key findings, and any recommendations or next steps
Spike Status: Completed IN Progress On hold
Attachments
Include any relevant attachments, such as documents, diagrams, or presentations that support the spike