[keycloak-dev] M1 release scope

Thu Sep 19 08:29:52 EDT 2013

On 9/19/2013 5:10 AM, Stian Thorgersen wrote:
> Bill, I assume you would be happy with Marek adding MongoDB to M1 as long as we take on any work related to it?
>
> It's important for the MBaaS project.

I'd be happy to ditch Picketlink and use Mongo.  Marek, is it something 
that can be learned quickly?

> I think we need to have:
>

Keep in mind that this is just a milestone release to garner community 
interest and show Red Hat management that we're capable of delivering 
something.

> * REST endpoints for admin tasks - managing realms, applications and users - it should be possible to authenticate to these using TokenService
> * REST endpoints for user tasks - login, register, change password, etc. - same again authenticate using TokenService
> * Document all REST endpoints
> * Forms for required user actions - register, verify email, reset password, update profile (for social)
>

As I said in the OP, if we had a read-only backend that was just one or 
two big JSON or XML files, the admin could edit them directly.  Then 
there would be no need for a management REST or UI interface, no need 
for registration, email verification, reset password, etc...  We would 
just ship a token service, login page, and oauth grant page in this 
scenario.  As I mentioned in the OP, there's still a lot of work to do 
just to do this.

Another option is to hold off on the Admin Web UI and do a console 
command line interface.  This would allow us to flush out the admin REST 
interfaces.

All this depends when we want to do an M1 release.  If we're find with 
an end-of-year release, then we can keep doing what we're doing instead 
of refocusing.

> The admin console could be (and should be IMO) separated out completely. To enable it you would register it as an application with the Keycloak server and configure it in the same way as you use any other application. This way it can be released separately to the main Keycloak server (and also deployed separately). I also think we should get rid of the authentication parts in SaasService and use TokenService instead. This is to reduce the duplicated effort, and also I think that's the correct approach in either case - the admin console (and any other consoles, cli, etc.) should just be applications registered with Keycloak and use public rest endpoints for authentication and to manage realms/apps/users.
>

Ok, that sounds good.  I agree that SaaS login and registration probably 
needs to go.  From our conversations it seems that we're not going to be 
deploying Keycloak as a SaaS that services multiple accounts, even in a 
cloud environment.   All this effects the design of the backend and how 
we bootstrap, configure, and install Keycloak.  We need a separate email 
thread to discuss this.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com