KEYCLOAK-4858: Slow query performance for client with large data volume

- Changing RESOURCE_SERVER PK to the client ID. - Changing FK on children of RESOURCE_SERVER. - Use direct fetch of ResourceServer through ID/PK to avoid a lot of implicit Hibernate flush.
2017-09-01 15:05:12 -04:00 · 2017-09-01 15:05:12 -04:00 · c1664478d9
commit c1664478d9
parent 1fb8846a7a
44 changed files with 154 additions and 195 deletions
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/client/ClientPolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/client/ClientPolicyProviderFactory.java
@ -108,7 +108,7 @@ public class ClientPolicyProviderFactory implements PolicyProviderFactory<Client
                PolicyStore policyStore = storeFactory.getPolicyStore();
                ClientModel removedClient = ((ClientRemovedEvent) event).getClient();
                ResourceServerStore resourceServerStore = storeFactory.getResourceServerStore();
-                ResourceServer resourceServer = resourceServerStore.findByClient(removedClient.getId());
+                ResourceServer resourceServer = resourceServerStore.findById(removedClient.getId());

                if (resourceServer != null) {
                    policyStore.findByType(getId(), resourceServer.getId()).forEach(policy -> {
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java
@ -222,7 +222,7 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory<RolePoli
    }

    private void updateResourceServer(ClientModel clientModel, RoleModel removedRole, ResourceServerStore resourceServerStore, PolicyStore policyStore) {
-        ResourceServer resourceServer = resourceServerStore.findByClient(clientModel.getId());
+        ResourceServer resourceServer = resourceServerStore.findById(clientModel.getId());

        if (resourceServer != null) {
            policyStore.findByType(getId(), resourceServer.getId()).forEach(policy -> {
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/user/UserPolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/user/UserPolicyProviderFactory.java
@ -181,7 +181,7 @@ public class UserPolicyProviderFactory implements PolicyProviderFactory<UserPoli
                RealmModel realm = ((UserRemovedEvent) event).getRealm();
                ResourceServerStore resourceServerStore = storeFactory.getResourceServerStore();
                realm.getClients().forEach(clientModel -> {
-                    ResourceServer resourceServer = resourceServerStore.findByClient(clientModel.getId());
+                    ResourceServer resourceServer = resourceServerStore.findById(clientModel.getId());

                    if (resourceServer != null) {
                        policyStore.findByType(getId(), resourceServer.getId()).forEach(policy -> {
--- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ResourceServerAdapter.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ResourceServerAdapter.java
@ -38,7 +38,7 @@ public class ResourceServerAdapter implements ResourceServer, CachedModel<Resour
    @Override
    public ResourceServer getDelegateForUpdate() {
        if (updated == null) {
-            cacheSession.registerResourceServerInvalidation(cached.getId(), cached.getClientId());
+            cacheSession.registerResourceServerInvalidation(cached.getId());
            updated = cacheSession.getResourceServerStoreDelegate().findById(cached.getId());
            if (updated == null) throw new IllegalStateException("Not found in database");
        }
@ -78,12 +78,6 @@ public class ResourceServerAdapter implements ResourceServer, CachedModel<Resour
        return cached.getId();
    }

-    @Override
-    public String getClientId() {
-        if (isUpdated()) return updated.getClientId();
-        return cached.getClientId();
-    }
-
    @Override
    public boolean isAllowRemoteResourceManagement() {
        if (isUpdated()) return updated.isAllowRemoteResourceManagement();
--- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/StoreFactoryCacheManager.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/StoreFactoryCacheManager.java
@ -53,13 +53,13 @@ public class StoreFactoryCacheManager extends CacheManager {
        }
    }

-    public void resourceServerUpdated(String id, String clientId, Set<String> invalidations) {
+    public void resourceServerUpdated(String id, Set<String> invalidations) {
        invalidations.add(id);
-        invalidations.add(StoreFactoryCacheSession.getResourceServerByClientCacheKey(clientId));
+        invalidations.add(StoreFactoryCacheSession.getResourceServerByClientCacheKey(id));
    }

-    public void resourceServerRemoval(String id, String name, Set<String> invalidations) {
-        resourceServerUpdated(id, name, invalidations);
+    public void resourceServerRemoval(String id, Set<String> invalidations) {
+        resourceServerUpdated(id, invalidations);

        addInvalidations(InResourceServerPredicate.create().resourceServer(id), invalidations);
    }
--- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/StoreFactoryCacheSession.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/StoreFactoryCacheSession.java
@ -229,12 +229,12 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
        return invalidations.contains(id);
    }

-    public void registerResourceServerInvalidation(String id, String clientId) {
-        cache.resourceServerUpdated(id, clientId, invalidations);
+    public void registerResourceServerInvalidation(String id) {
+        cache.resourceServerUpdated(id, invalidations);
        ResourceServerAdapter adapter = managedResourceServers.get(id);
        if (adapter != null) adapter.invalidateFlag();

-        invalidationEvents.add(ResourceServerUpdatedEvent.create(id, clientId));
+        invalidationEvents.add(ResourceServerUpdatedEvent.create(id));
    }

    public void registerScopeInvalidation(String id, String name, String serverId) {
@ -350,7 +350,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
        @Override
        public ResourceServer create(String clientId) {
            ResourceServer server = getResourceServerStoreDelegate().create(clientId);
-            registerResourceServerInvalidation(server.getId(), server.getClientId());
+            registerResourceServerInvalidation(server.getId());
            return server;
        }

@ -361,8 +361,8 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
            if (server == null) return;

            cache.invalidateObject(id);
-            invalidationEvents.add(ResourceServerRemovedEvent.create(id, server.getClientId()));
-            cache.resourceServerRemoval(id, server.getClientId(), invalidations);
+            invalidationEvents.add(ResourceServerRemovedEvent.create(id, server.getId()));
+            cache.resourceServerRemoval(id, invalidations);
            getResourceServerStoreDelegate().delete(id);

        }
@ -392,33 +392,6 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
             managedResourceServers.put(id, adapter);
            return adapter;
        }
-
-
-        @Override
-        public ResourceServer findByClient(String clientId) {
-            String cacheKey = getResourceServerByClientCacheKey(clientId);
-            ResourceServerListQuery query = cache.get(cacheKey, ResourceServerListQuery.class);
-            if (query != null) {
-                logger.tracev("ResourceServer by clientId cache hit: {0}", clientId);
-            }
-            if (query == null) {
-                Long loaded = cache.getCurrentRevision(cacheKey);
-                ResourceServer model = getResourceServerStoreDelegate().findByClient(clientId);
-                if (model == null) return null;
-                if (invalidations.contains(model.getId())) return model;
-                query = new ResourceServerListQuery(loaded, cacheKey, model.getId());
-                cache.addRevisioned(query, startupRevision);
-                return model;
-            } else if (invalidations.contains(cacheKey)) {
-                return getResourceServerStoreDelegate().findByClient(clientId);
-            } else {
-                String serverId = query.getResourceServers().iterator().next();
-                if (invalidations.contains(serverId)) {
-                    return getResourceServerStoreDelegate().findByClient(clientId);
-                }
-                return findById(serverId);
-            }
-        }
    }

    protected class ScopeCache implements ScopeStore {
--- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/CachedResourceServer.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/CachedResourceServer.java
@ -22,29 +22,20 @@ import org.keycloak.authorization.model.ResourceServer;
 import org.keycloak.models.cache.infinispan.entities.AbstractRevisioned;
 import org.keycloak.representations.idm.authorization.PolicyEnforcementMode;

-import java.io.Serializable;
-
 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
 public class CachedResourceServer extends AbstractRevisioned {

-    private String clientId;
    private boolean allowRemoteResourceManagement;
    private PolicyEnforcementMode policyEnforcementMode;

    public CachedResourceServer(Long revision, ResourceServer resourceServer) {
        super(revision, resourceServer.getId());
-        this.clientId = resourceServer.getClientId();
        this.allowRemoteResourceManagement = resourceServer.isAllowRemoteResourceManagement();
        this.policyEnforcementMode = resourceServer.getPolicyEnforcementMode();
    }

-
-    public String getClientId() {
-        return this.clientId;
-    }
-
    public boolean isAllowRemoteResourceManagement() {
        return this.allowRemoteResourceManagement;
    }
--- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ResourceServerRemovedEvent.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ResourceServerRemovedEvent.java
@ -49,6 +49,6 @@ public class ResourceServerRemovedEvent extends InvalidationEvent implements Aut

    @Override
    public void addInvalidations(StoreFactoryCacheManager cache, Set<String> invalidations) {
-        cache.resourceServerRemoval(id, clientId, invalidations);
+        cache.resourceServerRemoval(id, invalidations);
    }
 }
--- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ResourceServerUpdatedEvent.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/events/ResourceServerUpdatedEvent.java
@ -28,12 +28,10 @@ import java.util.Set;
 public class ResourceServerUpdatedEvent extends InvalidationEvent implements AuthorizationCacheInvalidationEvent {

    private String id;
-    private String clientId;

-    public static ResourceServerUpdatedEvent create(String id, String clientId) {
+    public static ResourceServerUpdatedEvent create(String id) {
        ResourceServerUpdatedEvent event = new ResourceServerUpdatedEvent();
        event.id = id;
-        event.clientId = clientId;
        return event;
    }

@ -44,11 +42,11 @@ public class ResourceServerUpdatedEvent extends InvalidationEvent implements Aut

    @Override
    public String toString() {
-        return String.format("ResourceServerRemovedEvent [ id=%s, clientId=%s ]", id, clientId);
+        return String.format("ResourceServerRemovedEvent [ id=%s, clientId=%s ]", id, id);
    }

    @Override
    public void addInvalidations(StoreFactoryCacheManager cache, Set<String> invalidations) {
-        cache.resourceServerUpdated(id, clientId, invalidations);
+        cache.resourceServerUpdated(id, invalidations);
    }
 }
--- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/entities/ResourceServerEntity.java
+++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/entities/ResourceServerEntity.java
@ -18,41 +18,24 @@

 package org.keycloak.authorization.jpa.entities;

-import org.keycloak.authorization.model.ResourceServer;
 import org.keycloak.representations.idm.authorization.PolicyEnforcementMode;

-import javax.persistence.Access;
-import javax.persistence.AccessType;
 import javax.persistence.Column;
 import javax.persistence.Entity;
 import javax.persistence.Id;
-import javax.persistence.NamedQueries;
-import javax.persistence.NamedQuery;
-import javax.persistence.OneToMany;
 import javax.persistence.Table;
-import javax.persistence.UniqueConstraint;
-import java.util.List;

 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
@Entity
-@Table(name = "RESOURCE_SERVER", uniqueConstraints = {@UniqueConstraint(columnNames = "CLIENT_ID")})
-@NamedQueries(
-        {
-                @NamedQuery(name="findResourceServerIdByClient", query="select r.id from ResourceServerEntity r where r.clientId = :clientId"),
-        }
-)
+@Table(name = "RESOURCE_SERVER")
 public class ResourceServerEntity {

    @Id
    @Column(name="ID", length = 36)
-    @Access(AccessType.PROPERTY) // we do this because relationships often fetch id, but not entity.  This avoids an extra SQL
    private String id;

-    @Column(name = "CLIENT_ID")
-    private String clientId;
-
    @Column(name = "ALLOW_RS_REMOTE_MGMT")
    private boolean allowRemoteResourceManagement;

@ -67,14 +50,6 @@ public class ResourceServerEntity {
        this.id = id;
    }

-    public String getClientId() {
-        return this.clientId;
-    }
-
-    public void setClientId(String clientId) {
-        this.clientId = clientId;
-    }
-
    public boolean isAllowRemoteResourceManagement() {
        return this.allowRemoteResourceManagement;
    }
--- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAResourceServerStore.java
+++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAResourceServerStore.java
@ -22,16 +22,11 @@ import org.keycloak.authorization.jpa.entities.PolicyEntity;
 import org.keycloak.authorization.jpa.entities.ResourceEntity;
 import org.keycloak.authorization.jpa.entities.ResourceServerEntity;
 import org.keycloak.authorization.jpa.entities.ScopeEntity;
-import org.keycloak.authorization.model.Policy;
 import org.keycloak.authorization.model.Resource;
 import org.keycloak.authorization.model.ResourceServer;
-import org.keycloak.authorization.model.Scope;
 import org.keycloak.authorization.store.ResourceServerStore;
-import org.keycloak.models.utils.KeycloakModelUtils;

 import javax.persistence.EntityManager;
-import javax.persistence.NoResultException;
-import javax.persistence.Query;
 import javax.persistence.TypedQuery;
 import java.util.LinkedList;
 import java.util.List;
@ -53,8 +48,7 @@ public class JPAResourceServerStore implements ResourceServerStore {
    public ResourceServer create(String clientId) {
        ResourceServerEntity entity = new ResourceServerEntity();

-        entity.setId(KeycloakModelUtils.generateId());
-        entity.setClientId(clientId);
+        entity.setId(clientId);

        this.entityManager.persist(entity);

@ -116,17 +110,4 @@ public class JPAResourceServerStore implements ResourceServerStore {
        if (entity == null) return null;
        return new ResourceServerAdapter(entity, entityManager, provider.getStoreFactory());
    }
-
-    @Override
-    public ResourceServer findByClient(final String clientId) {
-        TypedQuery<String> query = entityManager.createNamedQuery("findResourceServerIdByClient", String.class);
-
-        query.setParameter("clientId", clientId);
-        try {
-            String id = query.getSingleResult();
-            return provider.getStoreFactory().getResourceServerStore().findById(id);
-        } catch (NoResultException ex) {
-            return null;
-        }
-    }
 }
--- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/PolicyAdapter.java
+++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/PolicyAdapter.java
@ -16,7 +16,6 @@
 */
 package org.keycloak.authorization.jpa.store;

-import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.jpa.entities.PolicyEntity;
 import org.keycloak.authorization.jpa.entities.ResourceEntity;
 import org.keycloak.authorization.jpa.entities.ScopeEntity;
--- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ResourceAdapter.java
+++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ResourceAdapter.java
@ -16,7 +16,6 @@
 */
 package org.keycloak.authorization.jpa.store;

-import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.jpa.entities.ResourceEntity;
 import org.keycloak.authorization.jpa.entities.ScopeEntity;
 import org.keycloak.authorization.model.Resource;
--- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ResourceServerAdapter.java
+++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ResourceServerAdapter.java
@ -16,11 +16,7 @@
 */
 package org.keycloak.authorization.jpa.store;

-import org.keycloak.authorization.AuthorizationProvider;
-import org.keycloak.authorization.jpa.entities.ResourceEntity;
 import org.keycloak.authorization.jpa.entities.ResourceServerEntity;
-import org.keycloak.authorization.model.Policy;
-import org.keycloak.authorization.model.Resource;
 import org.keycloak.authorization.model.ResourceServer;
 import org.keycloak.authorization.store.StoreFactory;
 import org.keycloak.models.jpa.JpaModel;
@ -53,11 +49,6 @@ public class ResourceServerAdapter implements ResourceServer, JpaModel<ResourceS
        return entity.getId();
    }

-    @Override
-    public String getClientId() {
-        return entity.getClientId();
-    }
-
    @Override
    public boolean isAllowRemoteResourceManagement() {
        return entity.isAllowRemoteResourceManagement();
--- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ScopeAdapter.java
+++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ScopeAdapter.java
@ -16,12 +16,10 @@
 */
 package org.keycloak.authorization.jpa.store;

-import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.jpa.entities.ScopeEntity;
 import org.keycloak.authorization.model.ResourceServer;
 import org.keycloak.authorization.model.Scope;
 import org.keycloak.authorization.store.StoreFactory;
-import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.jpa.JpaModel;

 import javax.persistence.EntityManager;
--- a/model/jpa/src/main/resources/META-INF/jpa-changelog-3.4.0.xml
+++ b/model/jpa/src/main/resources/META-INF/jpa-changelog-3.4.0.xml
@ -0,0 +1,88 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!--
+  ~ Copyright 2017 Red Hat, Inc. and/or its affiliates
+  ~ and other contributors as indicated by the @author tags.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
+    <changeSet author="keycloak" id="3.4.0-res-server-pk">
+	<!-- Data migration to change the PK of RESOURCE_SERVER to use the CLIENT_ID. -->
+        <addColumn tableName="RESOURCE_SERVER_POLICY">
+            <column name="RESOURCE_SERVER_CLIENT_ID" type="VARCHAR(36)"/>
+        </addColumn>
+        <addColumn tableName="RESOURCE_SERVER_RESOURCE">
+            <column name="RESOURCE_SERVER_CLIENT_ID" type="VARCHAR(36)"/>
+        </addColumn>
+        <addColumn tableName="RESOURCE_SERVER_SCOPE">
+            <column name="RESOURCE_SERVER_CLIENT_ID" type="VARCHAR(36)"/>
+        </addColumn>
+
+        <sql>
+            UPDATE RESOURCE_SERVER_POLICY p SET RESOURCE_SERVER_CLIENT_ID=(SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE s.ID = p.RESOURCE_SERVER_ID);
+            UPDATE RESOURCE_SERVER_RESOURCE p SET RESOURCE_SERVER_CLIENT_ID=(SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE s.ID = p.RESOURCE_SERVER_ID);
+            UPDATE RESOURCE_SERVER_SCOPE p SET RESOURCE_SERVER_CLIENT_ID=(SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE s.ID = p.RESOURCE_SERVER_ID);
+        </sql>
+
+        <addNotNullConstraint tableName="RESOURCE_SERVER_POLICY" columnName="RESOURCE_SERVER_CLIENT_ID" columnDataType="VARCHAR(36)"/>
+        <addNotNullConstraint tableName="RESOURCE_SERVER_RESOURCE" columnName="RESOURCE_SERVER_CLIENT_ID" columnDataType="VARCHAR(36)"/>
+        <addNotNullConstraint tableName="RESOURCE_SERVER_SCOPE" columnName="RESOURCE_SERVER_CLIENT_ID" columnDataType="VARCHAR(36)"/>
+
+        <dropUniqueConstraint tableName="RESOURCE_SERVER_POLICY" constraintName="UK_FRSRPT700S9V50BU18WS5HA6"/>
+        <dropUniqueConstraint tableName="RESOURCE_SERVER_RESOURCE" constraintName="UK_FRSR6T700S9V50BU18WS5HA6"/>
+        <dropUniqueConstraint tableName="RESOURCE_SERVER_SCOPE" constraintName="UK_FRSRST700S9V50BU18WS5HA6"/>
+
+        <addUniqueConstraint tableName="RESOURCE_SERVER_POLICY" constraintName="UK_FRSRPT700S9V50BU18WS5HA6" 
+            columnNames="NAME, RESOURCE_SERVER_CLIENT_ID"/>
+        <addUniqueConstraint tableName="RESOURCE_SERVER_RESOURCE" constraintName="UK_FRSR6T700S9V50BU18WS5HA6" 
+            columnNames="NAME, OWNER, RESOURCE_SERVER_CLIENT_ID"/>
+        <addUniqueConstraint tableName="RESOURCE_SERVER_SCOPE" constraintName="UK_FRSRST700S9V50BU18WS5HA6" 
+            columnNames="NAME, RESOURCE_SERVER_CLIENT_ID"/>
+
+        <dropColumn tableName="RESOURCE_SERVER_POLICY" columnName="RESOURCE_SERVER_ID"/>
+        <dropColumn tableName="RESOURCE_SERVER_RESOURCE" columnName="RESOURCE_SERVER_ID"/>
+        <dropColumn tableName="RESOURCE_SERVER_SCOPE" columnName="RESOURCE_SERVER_ID"/>
+
+        <dropPrimaryKey tableName="RESOURCE_SERVER" constraintName="CONSTRAINT_FARS"/>
+        <dropUniqueConstraint tableName="RESOURCE_SERVER" constraintName="UK_AU8TT6T700S9V50BU18WS5HA6"/>
+        <addPrimaryKey tableName="RESOURCE_SERVER" constraintName="PK_RESOURCE_SERVER" columnNames="CLIENT_ID"/>
+
+        <dropColumn tableName="RESOURCE_SERVER" columnName="ID"/>
+
+        <createIndex indexName="IDX_RES_SERV_POL_RES_SERV" tableName="RESOURCE_SERVER_POLICY">
+            <column name="RESOURCE_SERVER_CLIENT_ID" type="VARCHAR(36)"/>
+        </createIndex>
+        <createIndex indexName="IDX_RES_SRV_RES_RES_SRV" tableName="RESOURCE_SERVER_RESOURCE">
+            <column name="RESOURCE_SERVER_CLIENT_ID" type="VARCHAR(36)"/>
+        </createIndex>
+        <createIndex indexName="IDX_RES_SRV_SCOPE_RES_SRV" tableName="RESOURCE_SERVER_SCOPE">
+            <column name="RESOURCE_SERVER_CLIENT_ID" type="VARCHAR(36)"/>
+        </createIndex>
+
+        <addForeignKeyConstraint constraintName="FK_FRSRPO213XCX4WNKOG82SSRFY"
+            baseTableName="RESOURCE_SERVER_POLICY" baseColumnNames="RESOURCE_SERVER_CLIENT_ID" 
+            referencedTableName="RESOURCE_SERVER" referencedColumnNames="CLIENT_ID"/> 
+        <addForeignKeyConstraint constraintName="FK_FRSRHO213XCX4WNKOG82SSRFY" 
+            baseTableName="RESOURCE_SERVER_RESOURCE" baseColumnNames="RESOURCE_SERVER_CLIENT_ID" 
+            referencedTableName="RESOURCE_SERVER" referencedColumnNames="CLIENT_ID"/> 
+        <addForeignKeyConstraint constraintName="FK_FRSRSO213XCX4WNKOG82SSRFY"
+            baseTableName="RESOURCE_SERVER_SCOPE" baseColumnNames="RESOURCE_SERVER_CLIENT_ID" 
+            referencedTableName="RESOURCE_SERVER" referencedColumnNames="CLIENT_ID"/> 
+
+        <renameColumn tableName="RESOURCE_SERVER" oldColumnName="CLIENT_ID" newColumnName="ID"/>
+
+        <renameColumn tableName="RESOURCE_SERVER_POLICY" oldColumnName="RESOURCE_SERVER_CLIENT_ID" newColumnName="RESOURCE_SERVER_ID"/>
+        <renameColumn tableName="RESOURCE_SERVER_RESOURCE" oldColumnName="RESOURCE_SERVER_CLIENT_ID" newColumnName="RESOURCE_SERVER_ID"/>
+        <renameColumn tableName="RESOURCE_SERVER_SCOPE" oldColumnName="RESOURCE_SERVER_CLIENT_ID" newColumnName="RESOURCE_SERVER_ID"/>
+    </changeSet>
+</databaseChangeLog>
--- a/model/jpa/src/main/resources/META-INF/jpa-changelog-master.xml
+++ b/model/jpa/src/main/resources/META-INF/jpa-changelog-master.xml
@ -49,4 +49,5 @@
    <include file="META-INF/jpa-changelog-3.0.0.xml"/>
    <include file="META-INF/jpa-changelog-3.2.0.xml"/>
    <include file="META-INF/jpa-changelog-3.3.0.xml"/>
+    <include file="META-INF/jpa-changelog-3.4.0.xml"/>
 </databaseChangeLog>
--- a/server-spi-private/src/main/java/org/keycloak/authorization/model/ResourceServer.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/model/ResourceServer.java
@ -35,14 +35,6 @@ public interface ResourceServer {
     */
    String getId();

-    /**
-     * Returns the identifier of the client application (which already exists in Keycloak) that is also acting as a resource
-     * server.
-     *
-     * @return the identifier of the client application associated with this instance.
-     */
-    String getClientId();
-
    /**
     * Indicates if the resource server is allowed to manage its own resources remotely using the Protection API.
     *
--- a/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.java
@ -165,7 +165,7 @@ public class DefaultPolicyEvaluator implements PolicyEvaluator {
                    List<Resource> resourcesByType = resourceStore.findByType(type, resource.getResourceServer().getId());

                    for (Resource resourceType : resourcesByType) {
-                        if (resourceType.getOwner().equals(resource.getResourceServer().getClientId())) {
+                        if (resourceType.getOwner().equals(resource.getResourceServer().getId())) {
                            resources.add(resourceType);
                        }
                    }
--- a/server-spi-private/src/main/java/org/keycloak/authorization/store/ResourceServerStore.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/store/ResourceServerStore.java
@ -51,13 +51,4 @@ public interface ResourceServerStore {
     * @return the resource server instance with the given identifier or null if no instance was found
     */
    ResourceServer findById(String id);
-
-    /**
-     * Returns a {@link ResourceServer} instance based on the identifier of a client application.
-     *
-     * @param id the identifier of an existing client application
-     * 
-     * @return the resource server instance, with the given client id or null if no instance was found
-     */
-    ResourceServer findByClient(String id);
 }
--- a/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/ClientApplicationSynchronizer.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/ClientApplicationSynchronizer.java
@ -37,7 +37,7 @@ public class ClientApplicationSynchronizer implements Synchronizer<ClientRemoved
        AuthorizationProvider authorizationProvider = providerFactory.create(event.getKeycloakSession());
        StoreFactory storeFactory = authorizationProvider.getStoreFactory();
        ResourceServerStore store = storeFactory.getResourceServerStore();
-        ResourceServer resourceServer = store.findByClient(event.getClient().getId());
+        ResourceServer resourceServer = store.findById(event.getClient().getId());

        if (resourceServer != null) {
            String id = resourceServer.getId();
--- a/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/RealmSynchronizer.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/RealmSynchronizer.java
@ -36,7 +36,7 @@ public class RealmSynchronizer implements Synchronizer<RealmRemovedEvent> {
        StoreFactory storeFactory = authorizationProvider.getStoreFactory();

        event.getRealm().getClients().forEach(clientModel -> {
-            ResourceServer resourceServer = storeFactory.getResourceServerStore().findByClient(clientModel.getId());
+            ResourceServer resourceServer = storeFactory.getResourceServerStore().findById(clientModel.getId());

            if (resourceServer != null) {
                String id = resourceServer.getId();
--- a/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/UserSynchronizer.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/UserSynchronizer.java
@ -17,8 +17,6 @@

 package org.keycloak.authorization.store.syncronization;

-import java.util.function.Consumer;
-
 import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.model.ResourceServer;
 import org.keycloak.authorization.store.PolicyStore;
@ -48,7 +46,7 @@ public class UserSynchronizer implements Synchronizer<UserRemovedEvent> {
        RealmModel realm = event.getRealm();

        realm.getClients().forEach(clientModel -> {
-            ResourceServer resourceServer = resourceServerStore.findByClient(clientModel.getId());
+            ResourceServer resourceServer = resourceServerStore.findById(clientModel.getId());

            if (resourceServer != null) {
                resourceStore.findByOwner(userModel.getId(), resourceServer.getId()).forEach(resource -> {
--- a/server-spi-private/src/main/java/org/keycloak/migration/migrators/MigrateTo2_1_0.java
+++ b/server-spi-private/src/main/java/org/keycloak/migration/migrators/MigrateTo2_1_0.java
@ -67,7 +67,7 @@ public class MigrateTo2_1_0 implements Migration {
        StoreFactory storeFactory = authorizationProvider.getStoreFactory();
        PolicyStore policyStore = storeFactory.getPolicyStore();
        realm.getClients().forEach(clientModel -> {
-            ResourceServer resourceServer = storeFactory.getResourceServerStore().findByClient(clientModel.getId());
+            ResourceServer resourceServer = storeFactory.getResourceServerStore().findById(clientModel.getId());

            if (resourceServer != null) {
                policyStore.findByType("role", resourceServer.getId()).forEach(policy -> {
--- a/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java
+++ b/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java
@ -35,7 +35,6 @@ import org.keycloak.authorization.model.ResourceServer;
 import org.keycloak.authorization.model.Scope;
 import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
 import org.keycloak.authorization.store.ResourceStore;
-import org.keycloak.common.Profile;
 import org.keycloak.common.util.MultivaluedHashMap;
 import org.keycloak.common.util.Time;
 import org.keycloak.component.ComponentModel;
@ -43,10 +42,10 @@ import org.keycloak.credential.CredentialModel;
 import org.keycloak.events.Event;
 import org.keycloak.events.admin.AdminEvent;
 import org.keycloak.events.admin.AuthDetails;
+import org.keycloak.models.AuthenticatedClientSessionModel;
 import org.keycloak.models.AuthenticationExecutionModel;
 import org.keycloak.models.AuthenticationFlowModel;
 import org.keycloak.models.AuthenticatorConfigModel;
-import org.keycloak.models.AuthenticatedClientSessionModel;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.ClientTemplateModel;
 import org.keycloak.models.FederatedIdentityModel;
@ -789,7 +788,7 @@ public class ModelToRepresentation {
        ResourceServerRepresentation server = new ResourceServerRepresentation();

        server.setId(model.getId());
-        server.setClientId(model.getClientId());
+        server.setClientId(model.getId());
        server.setName(client.getClientId());
        server.setAllowRemoteResourceManagement(model.isAllowRemoteResourceManagement());
        server.setPolicyEnforcementMode(model.getPolicyEnforcementMode());
@ -852,8 +851,8 @@ public class ModelToRepresentation {
        KeycloakSession keycloakSession = authorization.getKeycloakSession();
        RealmModel realm = authorization.getRealm();

-        if (owner.getId().equals(resourceServer.getClientId())) {
-            ClientModel clientModel = realm.getClientById(resourceServer.getClientId());
+        if (owner.getId().equals(resourceServer.getId())) {
+            ClientModel clientModel = realm.getClientById(resourceServer.getId());
            owner.setName(clientModel.getClientId());
        } else {
            UserModel userModel = keycloakSession.users().getUserById(owner.getId(), realm);
@ -882,7 +881,7 @@ public class ModelToRepresentation {
            if (resource.getType() != null) {
                ResourceStore resourceStore = authorization.getStoreFactory().getResourceStore();
                for (Resource typed : resourceStore.findByType(resource.getType(), resourceServer.getId())) {
-                    if (typed.getOwner().equals(resourceServer.getClientId()) && !typed.getId().equals(resource.getId())) {
+                    if (typed.getOwner().equals(resourceServer.getId()) && !typed.getId().equals(resource.getId())) {
                        resource.setTypedScopes(typed.getScopes().stream().map(model1 -> {
                            ScopeRepresentation scope = new ScopeRepresentation();
                            scope.setId(model1.getId());
--- a/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
+++ b/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
@ -1922,7 +1922,7 @@ public class RepresentationToModel {
    public static void toModel(ResourceServerRepresentation rep, AuthorizationProvider authorization) {
        ResourceServerStore resourceServerStore = authorization.getStoreFactory().getResourceServerStore();
        ResourceServer resourceServer;
-        ResourceServer existing = resourceServerStore.findByClient(rep.getClientId());
+        ResourceServer existing = resourceServerStore.findById(rep.getClientId());

        if (existing == null) {
            resourceServer = resourceServerStore.create(rep.getClientId());
@ -1947,7 +1947,7 @@ public class RepresentationToModel {

            if (owner == null) {
                owner = new ResourceOwnerRepresentation();
-                owner.setId(resourceServer.getClientId());
+                owner.setId(resourceServer.getId());
                resource.setOwner(owner);
            } else if (owner.getName() != null) {
                UserModel user = session.users().getUserByUsername(owner.getName(), realm);
@ -2270,7 +2270,7 @@ public class RepresentationToModel {

        if (owner == null) {
            owner = new ResourceOwnerRepresentation();
-            owner.setId(resourceServer.getClientId());
+            owner.setId(resourceServer.getId());
        }

        String ownerId = owner.getId();
@ -2279,7 +2279,7 @@ public class RepresentationToModel {
            throw new RuntimeException("No owner specified for resource [" + resource.getName() + "].");
        }

-        if (!resourceServer.getClientId().equals(ownerId)) {
+        if (!resourceServer.getId().equals(ownerId)) {
            RealmModel realm = authorization.getRealm();
            KeycloakSession keycloakSession = authorization.getKeycloakSession();
            UserProvider users = keycloakSession.users();
--- a/services/src/main/java/org/keycloak/authorization/admin/AuthorizationService.java
+++ b/services/src/main/java/org/keycloak/authorization/admin/AuthorizationService.java
@ -18,15 +18,15 @@

 package org.keycloak.authorization.admin;

+import javax.ws.rs.Path;
+
 import org.jboss.resteasy.spi.ResteasyProviderFactory;
 import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.model.ResourceServer;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.KeycloakSession;
-import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
 import org.keycloak.services.resources.admin.AdminEventBuilder;
-
-import javax.ws.rs.Path;
+import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;

 /**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
@ -43,7 +43,7 @@ public class AuthorizationService {
        this.client = client;
        this.authorization = session.getProvider(AuthorizationProvider.class);
        this.adminEvent = adminEvent;
-        this.resourceServer = this.authorization.getStoreFactory().getResourceServerStore().findByClient(this.client.getId());
+        this.resourceServer = this.authorization.getStoreFactory().getResourceServerStore().findById(this.client.getId());
        this.auth = auth;
    }

--- a/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java
+++ b/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java
@ -229,7 +229,7 @@ public class PolicyEvaluationService {
                String clientId = representation.getClientId();

                if (clientId == null) {
-                    clientId = resourceServer.getClientId();
+                    clientId = resourceServer.getId();
                }

                if (clientId != null) {
--- a/services/src/main/java/org/keycloak/authorization/admin/ResourceSetService.java
+++ b/services/src/main/java/org/keycloak/authorization/admin/ResourceSetService.java
@ -30,17 +30,15 @@ import org.keycloak.events.admin.OperationType;
 import org.keycloak.events.admin.ResourceType;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.Constants;
-import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserModel;
-import org.keycloak.models.UserProvider;
 import org.keycloak.representations.idm.authorization.PolicyRepresentation;
 import org.keycloak.representations.idm.authorization.ResourceOwnerRepresentation;
 import org.keycloak.representations.idm.authorization.ResourceRepresentation;
 import org.keycloak.representations.idm.authorization.ScopeRepresentation;
 import org.keycloak.services.ErrorResponse;
-import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
 import org.keycloak.services.resources.admin.AdminEventBuilder;
+import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;

 import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
@ -103,7 +101,7 @@ public class ResourceSetService {

        if (owner == null) {
            owner = new ResourceOwnerRepresentation();
-            owner.setId(resourceServer.getClientId());
+            owner.setId(resourceServer.getId());
        }

        String ownerId = owner.getId();
@ -217,7 +215,7 @@ public class ResourceSetService {
        if (model.getType() != null) {
            ResourceStore resourceStore = authorization.getStoreFactory().getResourceStore();
            for (Resource typed : resourceStore.findByType(model.getType(), resourceServer.getId())) {
-                if (typed.getOwner().equals(resourceServer.getClientId()) && !typed.getId().equals(model.getId())) {
+                if (typed.getOwner().equals(resourceServer.getId()) && !typed.getId().equals(model.getId())) {
                    scopes.addAll(typed.getScopes().stream().map(model1 -> {
                        ScopeRepresentation scope = new ScopeRepresentation();
                        scope.setId(model1.getId());
--- a/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java
+++ b/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java
@ -119,7 +119,7 @@ public class EntitlementService {
        }

        StoreFactory storeFactory = authorization.getStoreFactory();
-        ResourceServer resourceServer = storeFactory.getResourceServerStore().findByClient(client.getId());
+        ResourceServer resourceServer = storeFactory.getResourceServerStore().findById(client.getId());

        if (resourceServer == null) {
            throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Client does not support permissions", Status.FORBIDDEN);
@ -152,7 +152,7 @@ public class EntitlementService {
        }

        StoreFactory storeFactory = authorization.getStoreFactory();
-        ResourceServer resourceServer = storeFactory.getResourceServerStore().findByClient(client.getId());
+        ResourceServer resourceServer = storeFactory.getResourceServerStore().findById(client.getId());

        if (resourceServer == null) {
            throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Client does not support permissions", Status.FORBIDDEN);
--- a/services/src/main/java/org/keycloak/authorization/protection/ProtectionService.java
+++ b/services/src/main/java/org/keycloak/authorization/protection/ProtectionService.java
@ -100,7 +100,7 @@ public class ProtectionService {
        ResourceServer resourceServer = getResourceServer(identity);
        KeycloakSession keycloakSession = authorization.getKeycloakSession();
        RealmModel realm = keycloakSession.getContext().getRealm();
-        ClientModel client = realm.getClientById(resourceServer.getClientId());
+        ClientModel client = realm.getClientById(resourceServer.getId());

        if (!identity.hasClientRole(client.getClientId(), "uma_protection")) {
            throw new ErrorResponseException(OAuthErrorException.INVALID_SCOPE, "Requires uma_protection scope.", Status.FORBIDDEN);
@ -117,7 +117,7 @@ public class ProtectionService {
            throw new ErrorResponseException("invalid_clientId", "Client application with id [" + identity.getId() + "] does not exist in realm [" + realm.getName() + "]", Status.BAD_REQUEST);
        }

-        ResourceServer resourceServer = this.authorization.getStoreFactory().getResourceServerStore().findByClient(identity.getId());
+        ResourceServer resourceServer = this.authorization.getStoreFactory().getResourceServerStore().findById(identity.getId());

        if (resourceServer == null) {
            throw new ErrorResponseException("invalid_clientId", "Client application [" + clientApplication.getClientId() + "] is not registered as resource server.", Status.FORBIDDEN);
--- a/services/src/main/java/org/keycloak/authorization/protection/permission/AbstractPermissionService.java
+++ b/services/src/main/java/org/keycloak/authorization/protection/permission/AbstractPermissionService.java
@ -114,7 +114,7 @@ public class AbstractPermissionService {
                }

                for (Resource baseResource : authorization.getStoreFactory().getResourceStore().findByType(resource.getType(), resourceServer.getId())) {
-                    if (baseResource.getOwner().equals(resource.getResourceServer().getClientId())) {
+                    if (baseResource.getOwner().equals(resource.getResourceServer().getId())) {
                        for (Scope baseScope : baseResource.getScopes()) {
                            if (baseScope.getName().equals(scopeName)) {
                                return new ScopeRepresentation(scopeName);
--- a/services/src/main/java/org/keycloak/authorization/util/Permissions.java
+++ b/services/src/main/java/org/keycloak/authorization/util/Permissions.java
@ -20,8 +20,6 @@ package org.keycloak.authorization.util;

 import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashMap;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.LinkedList;
@ -70,7 +68,7 @@ public final class Permissions {
        StoreFactory storeFactory = authorization.getStoreFactory();
        ResourceStore resourceStore = storeFactory.getResourceStore();

-        resourceStore.findByOwner(resourceServer.getClientId(), resourceServer.getId()).stream().forEach(resource -> permissions.addAll(createResourcePermissionsWithScopes(resource, new LinkedList(resource.getScopes()), authorization)));
+        resourceStore.findByOwner(resourceServer.getId(), resourceServer.getId()).stream().forEach(resource -> permissions.addAll(createResourcePermissionsWithScopes(resource, new LinkedList(resource.getScopes()), authorization)));
        resourceStore.findByOwner(identity.getId(), resourceServer.getId()).stream().forEach(resource -> permissions.addAll(createResourcePermissionsWithScopes(resource, new LinkedList(resource.getScopes()), authorization)));

        return permissions;
@ -86,11 +84,11 @@ public final class Permissions {
            scopes = new LinkedList<>(resource.getScopes());
            // check if there is a typed resource whose scopes are inherited by the resource being requested. In this case, we assume that parent resource
            // is owned by the resource server itself
-            if (type != null && !resource.getOwner().equals(resourceServer.getClientId())) {
+            if (type != null && !resource.getOwner().equals(resourceServer.getId())) {
                StoreFactory storeFactory = authorization.getStoreFactory();
                ResourceStore resourceStore = storeFactory.getResourceStore();
                resourceStore.findByType(type, resourceServer.getId()).forEach(resource1 -> {
-                    if (resource1.getOwner().equals(resourceServer.getClientId())) {
+                    if (resource1.getOwner().equals(resourceServer.getId())) {
                        for (Scope typeScope : resource1.getScopes()) {
                            if (!scopes.contains(typeScope)) {
                                scopes.add(typeScope);
@ -123,11 +121,11 @@ public final class Permissions {

        // check if there is a typed resource whose scopes are inherited by the resource being requested. In this case, we assume that parent resource
        // is owned by the resource server itself
-        if (type != null && !resource.getOwner().equals(resourceServer.getClientId())) {
+        if (type != null && !resource.getOwner().equals(resourceServer.getId())) {
            StoreFactory storeFactory = authorization.getStoreFactory();
            ResourceStore resourceStore = storeFactory.getResourceStore();
            resourceStore.findByType(type, resourceServer.getId()).forEach(resource1 -> {
-                if (resource1.getOwner().equals(resourceServer.getClientId())) {
+                if (resource1.getOwner().equals(resourceServer.getId())) {
                    for (Scope typeScope : resource1.getScopes()) {
                        if (!scopes.contains(typeScope)) {
                            scopes.add(typeScope);
--- a/services/src/main/java/org/keycloak/exportimport/util/ExportUtils.java
+++ b/services/src/main/java/org/keycloak/exportimport/util/ExportUtils.java
@ -55,7 +55,6 @@ import org.keycloak.models.RoleContainerModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.UserConsentModel;
 import org.keycloak.models.UserModel;
-import org.keycloak.models.UserProvider;
 import org.keycloak.models.utils.ModelToRepresentation;
 import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.representations.idm.ClientTemplateRepresentation;
@ -73,6 +72,7 @@ import org.keycloak.representations.idm.authorization.ResourceRepresentation;
 import org.keycloak.representations.idm.authorization.ResourceServerRepresentation;
 import org.keycloak.representations.idm.authorization.ScopeRepresentation;
 import org.keycloak.util.JsonSerialization;
+
 import com.fasterxml.jackson.core.JsonEncoding;
 import com.fasterxml.jackson.core.JsonFactory;
 import com.fasterxml.jackson.core.JsonGenerator;
@ -298,7 +298,7 @@ public class ExportUtils {
        AuthorizationProviderFactory providerFactory = (AuthorizationProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(AuthorizationProvider.class);
        AuthorizationProvider authorization = providerFactory.create(session, client.getRealm());
        StoreFactory storeFactory = authorization.getStoreFactory();
-        ResourceServer settingsModel = authorization.getStoreFactory().getResourceServerStore().findByClient(client.getId());
+        ResourceServer settingsModel = authorization.getStoreFactory().getResourceServerStore().findById(client.getId());

        if (settingsModel == null) {
            return null;
@ -314,7 +314,7 @@ public class ExportUtils {
                .stream().map(resource -> {
                    ResourceRepresentation rep = toRepresentation(resource, settingsModel, authorization);

-                    if (rep.getOwner().getId().equals(settingsModel.getClientId())) {
+                    if (rep.getOwner().getId().equals(settingsModel.getId())) {
                        rep.setOwner(null);
                    } else {
                        rep.getOwner().setId(null);
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java
@ -112,7 +112,7 @@ class ClientPermissions implements ClientPermissionEvaluator,  ClientPermissionM
        String resourceName = getResourceName(client);
        Resource resource = authz.getStoreFactory().getResourceStore().findByName(resourceName, server.getId());
        if (resource == null) {
-            resource = authz.getStoreFactory().getResourceStore().create(resourceName, server, server.getClientId());
+            resource = authz.getStoreFactory().getResourceStore().create(resourceName, server, server.getId());
            resource.setType("Client");
            Set<Scope> scopeset = new HashSet<>();
            scopeset.add(configureScope);
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java
@ -26,7 +26,6 @@ import org.keycloak.models.AdminRoles;
 import org.keycloak.models.GroupModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
-import org.keycloak.models.utils.ModelToRepresentation;
 import org.keycloak.services.ForbiddenException;

 import java.util.HashMap;
@ -95,7 +94,7 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag
        String groupResourceName = getGroupResourceName(group);
        Resource groupResource = authz.getStoreFactory().getResourceStore().findByName(groupResourceName, server.getId());
        if (groupResource == null) {
-            groupResource = authz.getStoreFactory().getResourceStore().create(groupResourceName, server, server.getClientId());
+            groupResource = authz.getStoreFactory().getResourceStore().create(groupResourceName, server, server.getId());
            Set<Scope> scopeset = new HashSet<>();
            scopeset.add(manageScope);
            scopeset.add(viewScope);
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/IdentityProviderPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/IdentityProviderPermissions.java
@ -32,7 +32,6 @@ import org.keycloak.models.RealmModel;

 import java.util.Arrays;
 import java.util.Collection;
-import java.util.HashMap;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.Map;
@ -76,7 +75,7 @@ class IdentityProviderPermissions implements  IdentityProviderPermissionManageme
        String resourceName = getResourceName(idp);
        Resource resource = authz.getStoreFactory().getResourceStore().findByName(resourceName, server.getId());
        if (resource == null) {
-            resource = authz.getStoreFactory().getResourceStore().create(resourceName, server, server.getClientId());
+            resource = authz.getStoreFactory().getResourceStore().create(resourceName, server, server.getId());
            resource.setType("IdentityProvider");
            Set<Scope> scopeset = new HashSet<>();
            scopeset.add(exchangeToScope);
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java
@ -40,7 +40,6 @@ import org.keycloak.models.Constants;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.models.RealmModel;
-import org.keycloak.models.RoleModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.services.ForbiddenException;
 import org.keycloak.services.managers.RealmManager;
@ -252,7 +251,7 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage
        ResourceServerStore resourceServerStore = authz.getStoreFactory().getResourceServerStore();
        ClientModel client = getRealmManagementClient();
        if (client == null) return null;
-        realmResourceServer = authz.getStoreFactory().getResourceServerStore().findByClient(client.getId());
+        realmResourceServer = authz.getStoreFactory().getResourceServerStore().findById(client.getId());
        return realmResourceServer;

    }
@ -260,7 +259,7 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage
    public ResourceServer initializeRealmResourceServer() {
        if (realmResourceServer != null) return realmResourceServer;
        ClientModel client = getRealmManagementClient();
-        realmResourceServer = authz.getStoreFactory().getResourceServerStore().findByClient(client.getId());
+        realmResourceServer = authz.getStoreFactory().getResourceServerStore().findById(client.getId());
        if (realmResourceServer == null) {
            realmResourceServer = authz.getStoreFactory().getResourceServerStore().create(client.getId());
        }
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
@ -34,7 +34,6 @@ import org.keycloak.models.RoleModel;
 import org.keycloak.representations.idm.authorization.DecisionStrategy;
 import org.keycloak.services.ForbiddenException;

-import java.util.HashMap;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.Map;
@ -541,7 +540,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
        String roleResourceName = getRoleResourceName(role);
        Resource resource = authz.getStoreFactory().getResourceStore().findByName(roleResourceName, server.getId());
        if (resource == null) {
-            resource = authz.getStoreFactory().getResourceStore().create(roleResourceName, server, server.getClientId());
+            resource = authz.getStoreFactory().getResourceStore().create(roleResourceName, server, server.getId());
            Set<Scope> scopeset = new HashSet<>();
            scopeset.add(mapClientScope);
            scopeset.add(mapCompositeScope);
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java
@ -84,7 +84,7 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme

        Resource usersResource = authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, server.getId());
        if (usersResource == null) {
-            usersResource = authz.getStoreFactory().getResourceStore().create(USERS_RESOURCE, server, server.getClientId());
+            usersResource = authz.getStoreFactory().getResourceStore().create(USERS_RESOURCE, server, server.getId());
            Set<Scope> scopeset = new HashSet<>();
            scopeset.add(manageScope);
            scopeset.add(viewScope);
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java
@ -85,7 +85,7 @@ public class AuthzCleanupTest extends AbstractKeycloakTest {
        session.getContext().setRealm(realm);
        AuthorizationProvider authz = session.getProvider(AuthorizationProvider.class);
        ClientModel myclient = realm.getClientByClientId("myclient");
-        ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().findByClient(myclient.getId());
+        ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().findById(myclient.getId());
        createRolePolicy(authz, resourceServer, "client-role-1");
        createRolePolicy(authz, resourceServer, "client-role-2");
    }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java
@ -1829,7 +1829,7 @@ public class PermissionsTest extends AbstractKeycloakTest {

        for (Method m : rep.getClass().getDeclaredMethods()) {
            if (m.getParameters().length == 0 && m.getName().startsWith("get") && !ignoreList.contains(m.getName())) {
-                try {
+                    try {
                    Object o = m.invoke(rep);
                    assertNull("Expected " + m.getName() + " to be null", o);
                } catch (Exception e) {
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/PolicyEvaluationCompositeRoleTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/PolicyEvaluationCompositeRoleTest.java
@ -87,7 +87,7 @@ public class PolicyEvaluationCompositeRoleTest extends AbstractAuthzTest {
        Policy policy = createRolePolicy(authz, resourceServer, role1);

        Scope scope = authz.getStoreFactory().getScopeStore().create("myscope", resourceServer);
-        Resource resource = authz.getStoreFactory().getResourceStore().create("myresource", resourceServer, resourceServer.getClientId());
+        Resource resource = authz.getStoreFactory().getResourceStore().create("myresource", resourceServer, resourceServer.getId());
        addScopePermission(authz, resourceServer, "mypermission", resource, scope, policy);

        RoleModel composite = realm.addRole("composite");
--- a/testsuite/integration-deprecated/src/test/java/org/keycloak/testsuite/authorization/ResourceManagementTest.java
+++ b/testsuite/integration-deprecated/src/test/java/org/keycloak/testsuite/authorization/ResourceManagementTest.java
@ -61,7 +61,6 @@ public class ResourceManagementTest extends AbstractPhotozAdminTest {
            assertEquals("Resource Type", resourceModel.getType());
            assertEquals("Resource Icon URI", resourceModel.getIconUri());
            assertEquals("Resource URI", resourceModel.getUri());
-            assertEquals(resourceServer.getClientId(), resourceModel.getOwner());
            assertEquals(resourceServer.getId(), resourceModel.getResourceServer().getId());
        });
    }