[keycloak-dev] relationship between application and realm
Stian Thorgersen
stian at redhat.com
Thu Sep 12 09:23:17 EDT 2013
I strongly believe that applications should be under a separate top-level menu.
- An application is configured to use a realm, it's not a child of the realm
- A developer may know what application he's looking for, but not know what realm it belongs to
I also believe that a first time user should be able to create an application without having to create a realm first. There are several options for this:
- Create a default realm for a user when the first application is created
- Embed the creating realm form into the creating application form / this should require very little additional work on the UI level if Angular services and partials are done correctly
Having applications as a separate entity is also vital if for example an MBaaS solution should consume Keycloak and reuse parts of the admin console. In this case an application doesn't only have a security realm, and security configuration, it also has data configuration, push notification configuration, etc.
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Thursday, 12 September, 2013 1:38:17 PM
> Subject: [keycloak-dev] relationship between application and realm
>
> I want to bring this up again because I feel strongly about it. Having
> "Application" separate from "Realm" or a top-level-menu item, is not a
> good thing for many reasons. I'm talking about this idea of only
> creating an Application for single apps through the admin UI and setting
> up everything based only on the idea of an Application with no knowledge
> of what a realm is.
>
> * Realm is core to the implementation.
> * Once you want to do SSO, you have to know what a realm is. This idea
> of merging/exporting/importing an Application into a Realm seems just
> very complex to me. I'm of the strong opinion that its just not a great
> idea because SSO (and Single Log Out) is one of our key features.
> * You're not creating an application within Keycloak, you're securing an
> application. A Realm really pertains to the auth-server. Application
> pertains to the
> * JBoss, Tomcat, and Jetty, really most Java developers already know
> what a Realm is. Even Basic Auth has the concept of a Realm. Realm is
> just such a core concept to security.
> * Removing the concept of a Realm for a single-app domain, doesn't
> really simplify much for the user. All we're really asking the user to
> do is specify a name for the realm and configure providers and manage
> users at the realm level.
> * Having a noticably different UI for a one-off-app vs. a multi-app
> realm is just confusing to the user. It creates more work for us, for
> very little gain.
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list