[keycloak-dev] relationship between application and realm

Stian Thorgersen stian at redhat.com
Thu Sep 12 09:23:17 EDT 2013 

I strongly believe that applications should be under a separate top-level menu.

- An application is configured to use a realm, it's not a child of the realm
- A developer may know what application he's looking for, but not know what realm it belongs to

I also believe that a first time user should be able to create an application without having to create a realm first. There are several options for this:

- Create a default realm for a user when the first application is created
- Embed the creating realm form into the creating application form / this should require very little additional work on the UI level if Angular services and partials are done correctly

Having applications as a separate entity is also vital if for example an MBaaS solution should consume Keycloak and reuse parts of the admin console. In this case an application doesn't only have a security realm, and security configuration, it also has data configuration, push notification configuration, etc.

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Thursday, 12 September, 2013 1:38:17 PM
> Subject: [keycloak-dev] relationship between application and realm
> 
> I want to bring this up again because I feel strongly about it.  Having
> "Application" separate from "Realm" or a top-level-menu item, is not a
> good thing for many reasons.  I'm talking about this idea of only
> creating an Application for single apps through the admin UI and setting
> up everything based only on the idea of an Application with no knowledge
> of what a realm is.
> 
> * Realm is core to the implementation.
> * Once you want to do SSO, you have to know what a realm is.  This idea
> of merging/exporting/importing an Application into a Realm seems just
> very complex to me.  I'm of the strong opinion that its just not a great
> idea because SSO (and Single Log Out) is one of our key features.
> * You're not creating an application within Keycloak, you're securing an
> application.  A Realm really pertains to the auth-server.  Application
> pertains to the
> * JBoss, Tomcat, and Jetty, really most Java developers already know
> what a Realm is.  Even Basic Auth has the concept of a Realm.  Realm is
> just such a core concept to security.
> * Removing the concept of a Realm for a single-app domain, doesn't
> really simplify much for the user.  All we're really asking the user to
> do is specify a name for the realm and configure providers and manage
> users at the realm level.
> *  Having a noticably different UI for a one-off-app vs. a multi-app
> realm is just confusing to the user.  It creates more work for us, for
> very little gain.
> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list