<div dir="ltr">My comments inline.<br><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Feb 25, 2014 at 12:31 PM, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">So you want to bind a URL to a specific adapter configuration?<br>
<secured-deployment> might have a <url-pattern> and/or keycloak.json<br>
might be expanded to do the same.<br>
<br>
url-pattern could be /foo/bar/*<br>
<br>
or even /foo/bar/{realm}/* and keycloak adapter would pull and match a<br>
realm configuration based on this?<br>
<br></blockquote><div>yes something like this would do. </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
More comments inline<br>
<div class=""><br>
On 2/24/2014 2:28 PM, Travis De Silva wrote:<br>
><br>
> I had a look at your thoughts on how to do this with Aerogear. If I<br>
> understand the concept correctly, with the UPS + Keycloak in one bundle<br>
> option, we have to update the jboss wildfly config on the fly whenever<br>
> we get new tenants. I did not think of this option and not sure if this<br>
> could be done with wildfly without having to restart wildfly, but even<br>
> if that is possible, that means we are going to have a large list of<br>
> wildfly adapter profiles and I don't think that is practical. Just think<br>
> even if we get 200 tenants, this is going to make it very complicated.<br>
> Also I think the concept is one war per realm so this might not even be<br>
> possible for a single application multi tenant model.<br>
><br>
<br>
</div>There's just no way around a large number of adapter profiles in your<br>
scenario. Each realm has its own public key in which to verify tokens<br>
with. Each of these public keys must be known to the adapter.<br>
<br></blockquote><div><br></div><div>What about the <span style="color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px">Per war configuration? I didn't see realm level config in there? So won't that work?</span></div>
<div><span style="color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px"><br></span></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
FYI: Originally we were going to have Keycloak as a SaaS option hosted<br>
as one server on Openshift <a href="http://sso.keycloak.org" target="_blank">sso.keycloak.org</a> or something. Users would<br>
have been able to register and create their own realms. It was decided<br>
that users might be a little scared of the idea of one database holding<br>
everybody's security metadata, so the idea switched to writing a<br>
cartridge which you could configure solely for your organization. I<br>
guess what I'm saying is that a cartridge approach might be best in most<br>
scenarios. Still I want to support your usecase as best we can.<br>
<br></blockquote><div><br></div><div>I agree that you guys made the right call. Its the devs who would have built applications on your SaaS platform who would have had issues with that approach. But in our case, end users would not have an issue, especially with the Social Login which ensures that we don't retain their credentials.</div>
<div><br></div><div>Also I appreciate you trying to support this use case. I also don't think you can support all use cases but if there is workarounds or hocks to handle this, then devs like us can work around it. It's ok not to have these features out of the box but at least if there is a way that is great.</div>
<div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
BTW, I really appreciate the feedback. Without users trying our stuff<br>
and giving us ideas on how they would like to use Keycloak, we'll never<br>
be successful. Thanks.<br></blockquote><div><br></div><div>Thanks for the comment. You might not be aware but I have been following you from your angry Bill days and I think you are one smart dude and with guys like you, Keycloak is in good hands :) </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div class=""><div class="h5"><br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</div></div></blockquote></div><br></div></div>