diff --git a/docs/architecture-decision-records/layering-on-keycloak.md b/docs/architecture-decision-records/layering-on-keycloak.md index 8731521..bd46508 100644 --- a/docs/architecture-decision-records/layering-on-keycloak.md +++ b/docs/architecture-decision-records/layering-on-keycloak.md @@ -38,9 +38,12 @@ VEDA Auth Central deploys and manages out of the box open source Keycloack for V ## Drivers -- **Supports Complex Authorization Needs**: The custom layer addresses specific authorization needs that are not natively supported by Keycloak, such as application-based user subscriptions, scope inheritance, and detailed access control for multiple environments (dev, staging, production). -- **Simplifies Administration and Reduces Misconfiguration Risk**: By introducing application-specific entities and reusable templates, the custom layer simplifies the management of access policies and reduces the risk of misconfiguration that could arise from directly managing these controls within Keycloak. -- **Improves User Management**: The user enrichment module centralizes and automates user onboarding and group management, providing a clearer and more organized structure for user roles and permissions across all VEDA applications. +- **Supports Complex Authorization Needs**: Support application-based user subscriptions, scope inheritance, and detailed access control for multiple environments (dev, staging, production). +- **Simple Administration**: How easy it is for administrators such as science program leads to manage users or groups on their own +- **Graphical User Interface**: Ease of providing a graphical user interface for user and group administration +- **Community friendly**: How well the solution fits into VEDA as an ecosystem of community-maintained open source platform components +- **Generic integration**: Whether the solution offers generic integration patterns, such that applications can reuse logic for other publicly available providers like Auth0 +- **Well documented**: Quality and completeness of documentation, important to ensure good uptake by applications and other instances of the platform ## Considered Options: @@ -49,6 +52,7 @@ VEDA Auth Central deploys and manages out of the box open source Keycloack for V - Simple to implement with minimal development effort. - Utilizes Keycloak’s built-in features and administration tools. - Lower initial setup cost. + - Comes with an admin GUI. - **Cons:** - Lacks support for application-specific authorization, complex user onboarding, and automated group management. - Cannot support advanced use cases like scope inheritance or application-based user subscriptions. @@ -67,9 +71,12 @@ VEDA Auth Central deploys and manages out of the box open source Keycloack for V - Provides the flexibility to implement specific business logic, including fine-grained authorization and user management. - Allows Keycloak to be upgraded and maintained independently of the custom logic. - Supports the scalability and customization needs of Veda Auth Central without overly complicating the core IAM solution. + - By introducing application-specific entities and reusable templates, the custom layer simplifies the management of access policies and reduces the risk of misconfiguration that could arise from directly managing these controls within Keycloak. - **Cons:** - - Additional development effort required to create and maintain the custom layer. + - Additional effort required to develop and maintain the custom layer and its documentation. - Potential for increased complexity in managing the interaction between Keycloak and the custom layer. + - Risk of requiring solution-specific logic on the application side. + - Requires development of a custom administation GUI. ## Decision Outcome