[keycloak-dev] OIDC Discovery-enabled IdentityProvider

Tomas Kyjovsky tkyjovsk at redhat.com
Tue Jan 15 09:25:53 EST 2019 

Hello James,

See my 2 cents inline..

----- Original Message -----
> All--
> 
>  
> 
> After observing that the Google Social Identity Provider in Keycloak was
> using a deprecated userprofile endpoint [
> <https://issues.jboss.org/projects/KEYCLOAK/issues/KEYCLOAK-9179>
> Keycloak-9179,  <https://issues.jboss.org/browse/KEYCLOAK-9169>
> Keycloak-9169], I wanted to propose the creation of an IdentityProvider that
> will use the OIDC Discovery mechanism to dynamically build a config [
> <https://issues.jboss.org/browse/KEYCLOAK-9194> Keycloak-9194].
> 
>  
> 
> I see a few decision points along the way that I wanted to ask about before
> an implementation, since I'm very new to keycloak and just starting to
> understand the codebase. In particular, I wondered if this group could share
> insight into these couple issues so I can make a more informed design:
> 
>  
> 
> 1.    It looks to me like the actual IdentityProviders are instantiated just
> as they're being used, but that the models are persisted in the RealmModel.
> It's not clear to me where the separation of concerns is supposed to be
> between the IdentityProvider and the IdentityProviderModel-in particular
> since the GoogeIdentityProvider, say, immediately sets endpoints in its
> constructor. Normatively, where *should* social identity providers' model
> configuration be set (and, e.g., where are the models first added to the
> RealmModel)?

Provider classes are being instantiated per transaction by their corresponding ProviderFactories and then left to be garbage-collected after Provider.close() is called.
The Provider class is given its configuration (IdentityProviderModel in this case) by its factory which I believe loads it from cache/jpa layer. Any class extending AbstractIdentityProvider should then be able to access its config via getConfig() method but I don't think it will be able to update/persist it back. The provider configuration/model itself is managed by the IdentityProviderResource (REST endpoint accessible via REST or admin console UI) in the keycloak/services module so I think the auto-configuration logic would have to be placed somewhere there.

> 
>  
> 
> 2.    I see that there is logic to parse OIDC Discovery configuration as
> part of configuring Keycloak itself as an OIDC provider / implementer of
> OIDC protocol (including building and parsing the .well-known config
> elements), but that logic seems not to be used in any setting currently as a
> client. Should I plan to reuse, say, the OIDCConfigurationRepresentation and
> OIDCWellKnownProvider classes for their logic in handling such configs?
> 
>  
> 
>  
> 
> Currently, I'm imagining something along the lines of extending
> OIDCIdentityProvider with a new OIDCDiscoveryIdentityProvider that adds a
> discoverConfig method which can be used by an implementing class (such as
> GoogleIdentityProvider) to discover and cache endpoints such that they are
> not hard-coded into the implementing class. Each implementing class would
> then have a public static final DISCOVERY_URL that it passes to
> discoverConfig.
> 
>  
> 
> My main hangup, as suggested above, is that to implement the caching, I want
> to ensure that the model configuration is stored/set in the right place.
> 
>  
> 
> Thanks for bearing with me as I come up to speed on this!
> 
>  
> 
> James
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


Regards,
Tomas

More information about the keycloak-dev mailing list