[keycloak-dev] [authz] REST and Java API need work
Bill Burke
bburke at redhat.com
Sun Mar 26 11:06:48 EDT 2017
Authorization component of Keycloak is really cool and has a strong core
base of functionality. I think it needs another iteration though
especially around the RESET interface and Java API.
The REST interface is just too complex for anybody to use. I'll give
some examples:
* To create a permission, you must create a PolicyRepresentation.
Policy and Permission are overloaded and its unclear how to use the REST
API to create concepts that exist in the admin console.
* To apply resources and scopes to a permission definition, you have to
store a stringified JSON array into a regular JSON map.
* In java api, Policy and Permission are also overloaded. In data model
policy and permission are also overloaded. This makes it really unclear
how to create a permission vs. just a plain policy.
Suggestion:
* Create a PermissionDefinitionRepresentation and pull core config
optiosn (scopes, applied policies, resources) into actual fields rather
than in a generic config map.
* Leverage the ComponentModel API to store non-core configuration, i.e.
policy type specific information. It supports multi-valued hash maps
and also has utilities in admin console for rendering this configuration
data.
* Create a PermissionDefinition interface in storage API
Bill
More information about the keycloak-dev
mailing list