Description
Allow a Keycloak Administrator to manage the members of an organization through the REST Admin API and using the following operations:
- Create a user as a member of an organization
- Update an organization member
- Delete a user from an organization
- List all organization members
An organization member inherits all the properties from a regular user in Keycloak except that:
- The username of an organization member is always the e-mail.
- An organization member belongs to a single organization
-
- It might be possible in the future to support the same user as a member of multiple organizations
- Removing an organization should also remove all its members
- Removing an organization member should also remove the user at the realm
- As a regular user in a realm, an organization member authenticates using whatever policies set at the realm level
- As a regular user in a realm, a Keycloak Administrator can manage an organization member as a regular user through the Admin User API.
-
- Removing a user through the Admin User API should also remove the relationship between the user and the organization
The approach proposed here should leverage the existing capabilities from the Admin User API so that an organization member and a regular user share the same representation. It also makes it simpler to consolidate how users are managed, as well as their association with an organization, using a single API, the Organization API.
I can see two main use cases for associating users to organizations:
- Creating a user in the scope of an organization
- Associate an existing user to an organization
Both are related to valid use cases but starting with managing members only through the Organization API sounds better to avoid using both the Admin User API and Organization API when adding a member.