[keycloak-dev] triple abstraction?

Bill Burke bburke at redhat.com
Tue Jul 8 11:29:03 EDT 2014



On 7/8/2014 11:16 AM, Stian Thorgersen wrote:
> Dropping Hybrid API sounds like pretty much undoing all the work I've done the last couple weeks :(
>

I honestly have some serious concerns that this split will solve much. 
See my previous email.

> IMO what we should do is to drop the Model API/SPI. Instead make it into a single implementation that delegates to the various providers (RealmProvider, UserProvider, SessionProvider and probably also CacheProvider). We can then merge this with RealmManager, ApplicationManager, etc. and instead have a single ModelManager.
>
> I don't think it's a good idea to make the UserProvider create RoleModels. The UserProvider should be as simple as possible IMO, and shouldn't deal with Realms, Apps, Roles, etc, other than through simple id's.
>

That's not what I said.  UserProvider may have to map between an 
existing static user role mapping in some existing LDAP store to a role 
defined in Keycloak.  It may be impossible to map one to one a Keycloak 
role id and the role mapping stored in the customer's user database.

Federating an existing user store is pretty hard to do even with the 
current split.  Not only does the UserProvider make some pretty steep 
assumptions, tts pretty hard, IMO, to understand exactly where 
AuthenticationProvider begins and the UserProvider takes over, or the 
relationship between the two.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list