[keycloak-dev] Remaining work for 1.1.0.Final

Marek Posolda mposolda at redhat.com
Tue Dec 16 09:25:27 EST 2014


On 16.12.2014 14:55, Pedro Igor Silva wrote:
> ----- Original Message -----
>> From: "Marek Posolda" <mposolda at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>, "Pedro Igor Silva" <psilva at redhat.com>
>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
>> Sent: Tuesday, December 16, 2014 11:42:44 AM
>> Subject: Re: [keycloak-dev] Remaining work for 1.1.0.Final
>>
>> On 16.12.2014 13:37, Stian Thorgersen wrote:
>>> ----- Original Message -----
>>>> From: "Pedro Igor Silva" <psilva at redhat.com>
>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
>>>> Sent: Tuesday, 16 December, 2014 1:25:50 PM
>>>> Subject: Re: [keycloak-dev] Remaining work for 1.1.0.Final
>>>>
>>>> Btw, regarding SAML brokering. I'm trying to focus on KC integration with
>>>> a
>>>> PL SAML IdP. I think that will help people (customers and community)
>>>> already
>>>> using PL to adopt KC without forcing them to drop existing infrastructure
>>>> and investments. And that will also help them to think about a migration
>>>> plan.
>>> Makes sense. We should also provide a migration path for the stored users.
>>> If we moved to PL IDM that'd be easy, but not sure that'll happen straight
>>> away. Maybe we could provide a PL IDM user federation provider?
>> Well, we defacto already have it :) Our LDAPFederationProvider is using
>> Picketlink IDM API to bridge between keycloak model and
>> org.picketlink.idm.model.basic.User . There is no direct interaction
>> with LDAP, but everything goes through PL IDM API.
>>
>> In early stage when we discussed ldap integration and using PL IDM API
>> for it, we also discussed that it could be nice if people could provide
>> different source of PL IDM store. So there is PartitionManagerProvider
>> interface, which provides access to pl idm PartitionManager. Right now
>> we have just one implementation LDAPPartitionManagerProvider, which
>> returns picketlink PartitionManager configured to use LDAP store based
>> on ldap configuration provided by keycloak admin console.
>>
>> So theoretically only thing, which people need to do is to provide their
>> own PartitionManagerProvider when they can configure PL IDM stores
>> according to their environment. And this PartitionManagerProvider would
>> need to be configured in keycloak-server.json, so it has precedence over
>> the default LDAP based impl. Only condition is that their users should
>> be retrievable with usage of org.picketlink.idm.model.basic.User from PL
>> IDM Basic model.
> Or they can just provide a JNDI url where the PartitionManager is located, when using the subsystem. Also, PL IDM has the concept of stereotypes [1]. What means, in theory, that you can deal with any identity model definition (eg.: not only the basic identity model).
yeah, so we can do something like "SubsystemPartitionManagerProvider", 
which will allow people to retrieve PartitionManager from JNDI URL and 
they won't need to code anything by themselves. Only provide JDNI URL in 
configuration.
>
> [1] http://docs.jboss.org/picketlink/2/latest/reference/html-single/#sect-Stereotypes
>
>> Marek
>>>> ----- Original Message -----
>>>> From: "Pedro Igor Silva" <psilva at redhat.com>
>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
>>>> Sent: Tuesday, December 16, 2014 10:15:40 AM
>>>> Subject: Re: [keycloak-dev] Remaining work for 1.1.0.Final
>>>>
>>>> ----- Original Message -----
>>>>> From: "Stian Thorgersen" <stian at redhat.com>
>>>>> To: "Pedro Igor Silva" <psilva at redhat.com>
>>>>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
>>>>> Sent: Tuesday, December 16, 2014 9:46:04 AM
>>>>> Subject: Re: [keycloak-dev] Remaining work for 1.1.0.Final
>>>>>
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Pedro Igor Silva" <psilva at redhat.com>
>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>>> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
>>>>>> Sent: Tuesday, 16 December, 2014 12:38:35 PM
>>>>>> Subject: Re: [keycloak-dev] Remaining work for 1.1.0.Final
>>>>>>
>>>>>> Stian,
>>>>>>
>>>>>>      Regarding my tasks, I will be more dedicated to KC once I decrease
>>>>>>      my
>>>>>>      PL
>>>>>>      backlog a bit. This week is becoming very productive and will help
>>>>>>      me
>>>>>>      to
>>>>>>      plan my work load with more focus on my KC tasks.
>>>>>>
>>>>> Great, I was hoping that'd be the case :)
>>>>>
>>>>>>      Release date for 1.1.0.Final is 09/Feb/15, right ?
>>>>> No, hopefully around 09/Jan/15. With regards to identity brokering do you
>>>>> think you'll be able to wrap-it up by then or would you need longer?
>>>> In JIRA, 1.1.0.Final is targeted to 09/Feb/15. That is why I asked ...
>>>>
>>>> Regarding the brokering stuff, the missing bits are:
>>>>
>>>> - Remove old social references from code.
>>>> - Review Account page.
>>>> - Add more config options to SAML brokering
>>>>     - Upload IdP metadata
>>>>     - Signature and Encryption support
>>>>     - Http Binding Configuration for AuthnRequests
>>>>     - NameID Format configuration for AuthnRequests
>>>> - Automatic redirection when no credential is supported and a single IdP
>>>> is
>>>> configured/enabled.
>>>> - Test KC brokering.
>>>>     - Requires a better OIDC support in KC. We already have some JIRAs for
>>>>     that.
>>>>
>>>> There is also the attribute mapping stuff. Which will allow users to
>>>> resolve
>>>> claims/attributes from trusted IdPs. But to support that, I think we first
>>>> need the custom claim/profiles in place. However, this is not a blocker
>>>> for
>>>> a first release IMO.
>>>>
>>>> The broker is already doing the job. UI, model, REST endpoints,
>>>> persistence
>>>> and SPI are fine. We have everything we need to focus only on the
>>>> functional
>>>> bits.
>>>>
>>>>> For the other OpenID Connect tasks (1.2) we'll just do them in priority
>>>>> order. If you get stuck on PL issues we can push them out, or someone
>>>>> else
>>>>> can help you.
>>>>>
>>>>>> Regards.
>>>>>>
>>>>>> ----- Original Message -----
>>>>>> From: "Stian Thorgersen" <stian at redhat.com>
>>>>>> To: "keycloak dev" <keycloak-dev at lists.jboss.org>
>>>>>> Sent: Tuesday, December 16, 2014 9:13:44 AM
>>>>>> Subject: [keycloak-dev] Remaining work for 1.1.0.Final
>>>>>>
>>>>>> Before we start any new features we should release 1.1.0.Final. Are
>>>>>> there
>>>>>> any
>>>>>> outstanding tasks not listed in JIRA:
>>>>>>
>>>>>>     https://issues.jboss.org/issues/?jql=project%20%3D%20KEYCLOAK%20AND%20resolution%20%3D%20Unresolved%20AND%20fixVersion%20%3D%201.1.0.Final
>>>>>>
>>>>>> There's quite a lot of bugs associated with the release. I'd like us to
>>>>>> try
>>>>>> to get rid of as many as possible before releasing, so would be great if
>>>>>> everyone can do some bug fixing before starting on features for 1.2.
>>>>>>
>>>>>> Let's aim for a release shortly after we all return in the New Year.
>>>>>>
>>>>>> ----
>>>>>>
>>>>>> Features for 1.2 includes:
>>>>>>
>>>>>> * SAML redirect logout (KEYCLOAK-771, Bill)
>>>>>> * Custom user profiles (KEYCLOAK-311, Bill)
>>>>>> * Kerberos brokering (KEYCLOAK-828, Marek)
>>>>>> * LDAP enhancement (KEYCLOAK-886, Marek)
>>>>>> * OpenID Connect Interop Testing (KEYCLOAK-524, Pedro)
>>>>>> * OpenID Connect Discovery (KEYCLOAK-571, Pedro)
>>>>>> * OpenID Connect Dynamic Registration (KEYCLOAK-684, Pedro)
>>>>>> * OpenID Connect Session Management - review and finish missing parts
>>>>>> (KEYCLOAK-451, Pedro)
>>>>>> * Fabric8 integration (Stian)
>>>>>>
>>>>>> ----
>>>>>>
>>>>>> I've started creating JIRA's for tasks we defined at the F2F and I'll
>>>>>> also
>>>>>> create agile boards (or use labels) to make it easy to identify
>>>>>> categories
>>>>>> of tasks. Main plan is to make it easy for us to pull out for example
>>>>>> all
>>>>>> tasks related to EAP, IDM, etc.
>>>>>>
>>>>>> I've also dropped the 1.x version. All tasks should now be scheduled for
>>>>>> current version, the next version or not have a version associated with
>>>>>> it.
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>



More information about the keycloak-dev mailing list