[keycloak-dev] [Keycloak Operator] Modifying browserRedirectorIdentityProvider while creating a realm
Stian Thorgersen
sthorger at redhat.com
Mon Nov 4 04:32:20 EST 2019
In general there is an issue with realm representations often being
bloated, especially with authentication flows. This issue should be solved
on the Keycloak server (at least long term). Short term the simplest would
just be to include the full authentication flow definition in the realm
representation. Long term the realm representations should be improved both
in terms of import and export. Export should only include values that have
changed from the defaults and not all values. Import should allow setting
only what you want to change and not everything, with regards to auth flows
it should be possible to set config of the default flow, without having to
specify the default flow itself.
On Sat, 2 Nov 2019 at 16:07, Sebastian Laskawiec <slaskawi at redhat.com>
wrote:
> Hey guys,
>
> Peter is currently working on setting the "defaultProvider" configuration
> parameter in the "identity-provider-redirector". The old Operator used this
> functionality here [1] and Peter wanted to port it to the new Operator.
> @Peter - if I may ask you - could you please describe the use case this is
> being used in?
>
> During our initial conversation, we agreed that we want to setup all Realm
> bits in a single REST call. In other words - Keycloak Realm CR should match
> exported realm JSON format. However, modifying existing browser flow hardly
> first into this scenario. It would require sending a JSON with full list of
> "authenticationFlows" as well as a full list of "authenticatorConfig"
> objects (as Config is matched with an authentication flow using an id).
>
> I experimented with an exported Realm and here's what I have [2]. As you
> probably noticed - it's enormous and very fragile (as it contains many,
> many options I have to set upfront).
>
> Do you have any idea how to solve this? I have three options in my head:
> 1) Use a second REST call (after creating a Realm) and modify the
> "authenticatorConfig". In other words - do everything exactly the same way
> the old Operator did
>
I don't like this at all as it is a pandora's box.
> 2) Force users to embed the full Realm configuration every time they
> create a Realm.
>
I would go for this option for now, as it will probably be quite a bit of
effort to do it properly, as that requires somehow to specify some config
overrides for the default authn flows on import.
> 3) Create some sort of profiles in Keycloak. This way, when an Operator
> uses proper profile, we set the "defaultProvider" to proper value
> out-of-the-box.
>
I don't really understand what you are proposing in option 3.
>
> Thanks,
> Sebastian
>
> [1]
> https://github.com/integr8ly/keycloak-operator/blob/d97ee5de8c2b227d684ad5e8e8f50efb1a0fafa8/pkg/keycloak/realm/phaseHandler.go#L620
> [2]
> https://gist.github.com/slaskawi/79847124a268b94c8391e01f13b21409#file-keycloak-operator-browser-redirector-json-L404
>
More information about the keycloak-dev
mailing list