<p dir="ltr">There's two issues here really:</p>
<p dir="ltr">#1 KeycloakSession bound to a realm. Pretty much all requests with the exception to admin can take the realm from KeycloakContext. I'd like to extend that so realm can always be returned from KeycloakContext, which I think we will get to when we redo master realm stuff</p>
<p dir="ltr">#2 Shorten/clean-up urls. Resources could in fact be realm specific. There could be different cache settings, or even different images etc for each realm. The fact that it's not ATM is more a limitation than anything. Version doesn't matter if it's avail under a realm or not really.</p>
<p dir="ltr">I reckon dropping realms wouldn't just shorten the url, but also make things cleaner and simpler.</p>
<div class="gmail_quote">On 9 Dec 2015 6:16 pm, "Marek Posolda" <<a href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">+1<br>
<br>
some things like ServerVersionResource or static resources ( keycloak.js<br>
etc) are just not tight to any specific realm. Removing "/realms" would<br>
mean that we will need to move all of them under the path specific to<br>
some realm. For example move keycloak.js under<br>
"<a href="http://localhost:8080/auth/foo/keycloak.js" rel="noreferrer" target="_blank">http://localhost:8080/auth/foo/keycloak.js</a>" . But that doesn't seem to<br>
be very good practice as keycloak.js is not resource specific to realm<br>
"foo" .<br>
<br>
If we want shorter and more user-memorable URLs, we can maybe introduce<br>
some URLAliasService, where will people have possibility to define short<br>
URL aliases for some endpoints. This might have support for regexes etc.<br>
However Apache HTTPD already provides something like this AFAIK<br>
<br>
Marek<br>
<br>
<br>
On 09/12/15 15:33, Bill Burke wrote:<br>
> Once we go to host/{realms} we are stuck with it. The matching rules of<br>
> JAX-RS will prevent us from adding any top level resource that is more<br>
> specific. Stian, we might want to reconsider removing "/realms".<br>
><br>
> On 12/8/2015 5:34 AM, Stian Thorgersen wrote:<br>
>> 'admin' will probably move at some point to be under the realm.<br>
>><br>
>> 'version' would move as well. Although this one should probably be<br>
>> removed altogether.<br>
>><br>
>> KeycloakSession and SPIs needs to be tied to a specific realm. This<br>
>> makes everything cleaner.<br>
>><br>
>> Besides it just doesn't make any sense to add arbitrary rest endpoints<br>
>> to Keycloak. A rest endpoint should be tied to a realm, otherwise it<br>
>> just doesn't make sense to host it on the Keycloak server.<br>
>><br>
>><br>
>><br>
>> On 8 December 2015 at 11:18, Erik Mulder<br>
>> <<a href="mailto:erik.mulder@docdatapayments.com">erik.mulder@docdatapayments.com</a><br>
>> <mailto:<a href="mailto:erik.mulder@docdatapayments.com">erik.mulder@docdatapayments.com</a>>> wrote:<br>
>><br>
>> Stian, I can see your point. Using the realm name as the root level<br>
>> certainly has advantages. It also really fixes everything to a<br>
>> realm, but I guess that is what you want. So how about the current<br>
>> ‘/admin’ url, how does that fit in the new picture? Because that<br>
>> would be my next best target to hook into. Furthermore, there’s<br>
>> currently a ‘/version’ root path that should end up somewhere else.<br>
>> Personally, I think it’s not so bad to have a descriptive root level<br>
>> like ‘realms’, which leaves open the possibility to add extra root<br>
>> level paths, like meta data (version) or special contexts (admin,<br>
>> customPath).____<br>
>><br>
>> __ __<br>
>><br>
>> __ __<br>
>><br>
>> *Van:*Stian Thorgersen [mailto:<a href="mailto:sthorger@redhat.com">sthorger@redhat.com</a><br>
>> <mailto:<a href="mailto:sthorger@redhat.com">sthorger@redhat.com</a>>]<br>
>> *Verzonden:* dinsdag 8 december 2015 10:32<br>
>> *Aan:* Greg Jones <<a href="mailto:gregj@thesoftwarecottage.com.au">gregj@thesoftwarecottage.com.au</a><br>
>> <mailto:<a href="mailto:gregj@thesoftwarecottage.com.au">gregj@thesoftwarecottage.com.au</a>>><br>
>> *CC:* Erik Mulder <<a href="mailto:erik.mulder@docdatapayments.com">erik.mulder@docdatapayments.com</a><br>
>> <mailto:<a href="mailto:erik.mulder@docdatapayments.com">erik.mulder@docdatapayments.com</a>>>;<br>
>> <a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>><br>
>><br>
>><br>
>> *Onderwerp:* Re: [keycloak-dev] Add custom REST paths? New SPI?____<br>
>><br>
>> __ __<br>
>><br>
>> -1 To adding rest endpoints to the root level. I'd like to get rid<br>
>> of 'realms' part as some point and have all rest endpoints sit<br>
>> underneath a realm. This makes sure the KeycloakSession always knows<br>
>> what realm is being handled, so we don't need to pass the realm<br>
>> around as it can be retrived from the KeycloakContext. It also means<br>
>> that the url can be shortened as we can drop the 'realms' part.____<br>
>><br>
>> __ __<br>
>><br>
>> On 8 December 2015 at 10:22, Greg Jones<br>
>> <<a href="mailto:gregj@thesoftwarecottage.com.au">gregj@thesoftwarecottage.com.au</a><br>
>> <mailto:<a href="mailto:gregj@thesoftwarecottage.com.au">gregj@thesoftwarecottage.com.au</a>>> wrote:____<br>
>><br>
>> +1 for these changes. We have been looking at a way to add<br>
>> custom REST endpoints and would be happy to use this approach.<br>
>><br>
>> Regards<br>
>> Greg Jones____<br>
>><br>
>><br>
>><br>
>> > On 8 Dec 2015, at 8:17 PM, Erik Mulder<br>
>> <<a href="mailto:erik.mulder@docdatapayments.com">erik.mulder@docdatapayments.com</a><br>
>> <mailto:<a href="mailto:erik.mulder@docdatapayments.com">erik.mulder@docdatapayments.com</a>>> wrote:<br>
>> ><br>
>> > Pedro's change (see below) is kindof what I was looking for,<br>
>> but for my case and for general flexibility I think it's good to<br>
>> also have a more basic point to hook into the REST API's.<br>
>> > I implemented and tested my own suggestion of having an SPI<br>
>> to be able to add a REST resource at the root level. Combined<br>
>> with the (coming) ability to freely extend the JPA entities and<br>
>> DB schema, I think this creates a really powerful extensibility<br>
>> to Keycloak. When we finish these changes, I can write a blog<br>
>> post about what we did, why and how as a showcase for custom<br>
>> extensions to Keycloak.<br>
>> ><br>
>> > So are the Keycloak dev's open to a PR with a new SPI that<br>
>> enables you to add custom REST paths?<br>
>> > For example, you could create something like:<br>
>> > <a href="http://localhost:8080/auth/myPath/myResource" rel="noreferrer" target="_blank">http://localhost:8080/auth/myPath/myResource</a><br>
>> ><br>
>> ><br>
>> > -----Oorspronkelijk bericht-----<br>
>> > Van: Pedro Igor Silva [mailto:<a href="mailto:psilva@redhat.com">psilva@redhat.com</a><br>
>> <mailto:<a href="mailto:psilva@redhat.com">psilva@redhat.com</a>>]<br>
>> > Verzonden: maandag 7 december 2015 22:18<br>
>> > Aan: Erik Mulder <<a href="mailto:erik.mulder@docdatapayments.com">erik.mulder@docdatapayments.com</a><br>
>> <mailto:<a href="mailto:erik.mulder@docdatapayments.com">erik.mulder@docdatapayments.com</a>>><br>
>> > Onderwerp: Re: [keycloak-dev] Add custom REST paths? New SPI?<br>
>> ><br>
>> > It is part of a working in progress around fine-grained<br>
>> authorization [1].<br>
>> ><br>
>> > The new SPI changes [2] specific to Keycloak are located in a<br>
>> specific branch [3] in my Keycloak fork.<br>
>> ><br>
>> > I need to discuss these changes with Bill and see what he<br>
>> thinks about it. Depending on his feedback, I can prepare a PR<br>
>> and send these changes to upstream.<br>
>> ><br>
>> > [1] <a href="https://github.com/pedroigor/keycloak-authz" rel="noreferrer" target="_blank">https://github.com/pedroigor/keycloak-authz</a><br>
>> > [2]<br>
>> <a href="https://github.com/pedroigor/keycloak/commit/5e99614aacb70f7840a5ae25cfeaf3fc9d74ac54" rel="noreferrer" target="_blank">https://github.com/pedroigor/keycloak/commit/5e99614aacb70f7840a5ae25cfeaf3fc9d74ac54</a><br>
>> > [3]<br>
>> <a href="https://github.com/pedroigor/keycloak/tree/keycloak-authz-modified" rel="noreferrer" target="_blank">https://github.com/pedroigor/keycloak/tree/keycloak-authz-modified</a><br>
>> ><br>
>> > Regards.<br>
>> ><br>
>> > ----- Original Message -----<br>
>> > From: "Erik Mulder" <<a href="mailto:erik.mulder@docdatapayments.com">erik.mulder@docdatapayments.com</a><br>
>> <mailto:<a href="mailto:erik.mulder@docdatapayments.com">erik.mulder@docdatapayments.com</a>>><br>
>> > To: "Pedro Igor Silva" <<a href="mailto:psilva@redhat.com">psilva@redhat.com</a><br>
>> <mailto:<a href="mailto:psilva@redhat.com">psilva@redhat.com</a>>><br>
>> > Sent: Monday, December 7, 2015 5:51:26 PM<br>
>> > Subject: RE: [keycloak-dev] Add custom REST paths? New SPI?<br>
>> ><br>
>> > Great, that's probably all we need!<br>
>> > I'd like to try it out, but I cannot find any reference to<br>
>> what you mention on Github. Is it (going to be) a pull request?<br>
>> Is it going to be part of a future release?<br>
>> > Can you point me to / provide me with these changes so I can<br>
>> give it a spin? Thanks!<br>
>> ><br>
>> > ________________________________________<br>
>> > Van: Pedro Igor Silva [<a href="mailto:psilva@redhat.com">psilva@redhat.com</a><br>
>> <mailto:<a href="mailto:psilva@redhat.com">psilva@redhat.com</a>>]<br>
>> > Verzonden: maandag 7 december 2015 16:03<br>
>> > Aan: Erik Mulder<br>
>> > CC: <a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
>> <mailto:<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>><br>
>> > Onderwerp: Re: [keycloak-dev] Add custom REST paths? New SPI?<br>
>> ><br>
>> > I've done something at this regard, where you can use a SPI<br>
>> in order to plug additional APIs for:<br>
>> ><br>
>> > * Realm Admin RESTFul API (eg.: used by admin console)<br>
>> > * Realm RESFTFul API (eg.: to plug additional endpoints<br>
>> for realms)<br>
>> ><br>
>> > The two Provider interfaces are very simple and just provide<br>
>> a single method:<br>
>> ><br>
>> > Object getResource(String pathName);<br>
>> ><br>
>> > Where pathName is the path that must be resolved to your<br>
>> custom JAX-RS resource.<br>
>> ><br>
>> > The factories are also very simple and allows you to build<br>
>> those resources for the current Realm and KeycloakSession. Eg.:<br>
>> ><br>
>> > RealmResourceProvider create(RealmModel realm,<br>
>> KeycloakSession keycloakSession);<br>
>> ><br>
>> > Do you need something other than that ?<br>
>> ><br>
>> > Regards.<br>
>> > Pedro Igor<br>
>> ><br>
>> > ----- Original Message -----<br>
>> > From: "Erik Mulder" <<a href="mailto:erik.mulder@docdatapayments.com">erik.mulder@docdatapayments.com</a><br>
>> <mailto:<a href="mailto:erik.mulder@docdatapayments.com">erik.mulder@docdatapayments.com</a>>><br>
>> > To: <a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
>> <mailto:<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>><br>
>> > Sent: Monday, December 7, 2015 12:46:39 PM<br>
>> > Subject: [keycloak-dev] Add custom REST paths? New SPI?<br>
>> ><br>
>> > As some of you might know, our team is busy adding data to<br>
>> the keycloak system to incorporate some custom authorization<br>
>> information in the access token.<br>
>> > So far we've successfully extended the JPA entities,<br>
>> Liquibase table definitions and added a custom mapper to put<br>
>> that data in the access token. All of this without custom<br>
>> modifications to the original keycloak sources. This is working<br>
>> great, thanks for the support so far!<br>
>> > I know I've promised some PR's for this and they will come,<br>
>> but first we'd like to get everything fully working, so we know<br>
>> it's a well functioning whole.<br>
>> ><br>
>> > The last piece of the puzzle is extending the REST services<br>
>> to include CRUD actions for our custom resources. I've been<br>
>> looking into the way RESTEasy/JAX-RS works and it seems to me<br>
>> that in the current implementation there is no way to add extra<br>
>> paths. As I see it now, the KeycloakApplication class will<br>
>> register some singletons in it's constructor and that's that. No<br>
>> way to extend or to 'interfere' there.<br>
>> ><br>
>> > So my question is: is there any 'official' way to add extra<br>
>> REST paths to Keycloak?<br>
>> ><br>
>> > If not, is it an idea to add this as a new SPI? The current<br>
>> code for adding root paths in the KeycloakApplication<br>
>> constructor lists:<br>
>> ><br>
>> > singletons.add(new ServerVersionResource());<br>
>> > singletons.add(new RealmsResource());<br>
>> > singletons.add(new AdminRoot());<br>
>> ><br>
>> > So just plain contructor calls. That seems like an easy<br>
>> target for 'SPI-ing' :-).<br>
>> > Or just leave the current ones 'hardcoded' and add an SPI for<br>
>> custom extensions.<br>
>> > Your thoughts on this please.<br>
>> ><br>
>> > As before, I'm happy to implement this myself, but I'd like<br>
>> to discuss it first, so a future PR will be honored.<br>
>> ><br>
>> ><br>
>> > _______________________________________________<br>
>> > keycloak-dev mailing list<br>
>> > <a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
>> <mailto:<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>><br>
>> > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
>> ><br>
>> > _______________________________________________<br>
>> > keycloak-dev mailing list<br>
>> > <a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
>> <mailto:<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>><br>
>> > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
>><br>
>><br>
>> _______________________________________________<br>
>> keycloak-dev mailing list<br>
>> <a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>><br>
>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev____" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev____</a><br>
>><br>
>> __ __<br>
>><br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> keycloak-dev mailing list<br>
>> <a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
>><br>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote></div>