On 2/27/2014 4:45 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Thursday, 27 February, 2014 3:08:13 AM
> Subject: Re: [keycloak-dev] Refactoring Model
>
> Ok, I did the first phase of this. Most code is now dealing with
> ClientModel rather than UserModel in the TokenService, et. al.
>
> I hope nobody is working on anything major :) I'm just trying to avoid
> duplicating a lot of code. I"d also like to eventually not use a User
> to model any type of client as I'm worried about username clashes and such.
+1 Assuming you're talking about getting rid of ClientModel.get/setAgent and just
pulling all required fields from UserModel into ClientModel. It would also be nice to
remove the "special" roles we have (KEYCLOAK_APPLICATION and
KEYCLOAK_IDENTITY_REQUESTER).
I'll do a 2nd rev of this refactoring today and get rid of the
ClientModel.agent and special roles too.
One idea I had was to rename ApplicationModel to ResourceModel. A
resource would only have name and roles. No web-origins, redirect-uris, secret or scope
mapping. Then we'd add an option to ClientModel to automatically grant access instead.
I think that makes the distinction clearer. Basically if your modelling something that is
accessed through roles, you create a resource. If you're modelling something that
wants to login users you create a client. And as some clients would be
"internal" they have the option of automatically being granted permissions.
I like that for an implementation detail at least. Not sure about
propagating that idea to the admin console though.
Applications have always been special in that they don't require an
oauth grant page, can be administered, you can log out of them, and
eventually we'll have screens for session management and stuff and
things like that for them. For clustering, at least for Wildfly/JBoss,
I don't even think it makes sense to have the idea of a "deployment" as
I believe cluster nodes would get the same configuration from the domain
controller (client_id, secret, etc.). What we can do for a cluster is
make Admin URl a Set<URI> maybe even the same with Redirect URI.
I do think I want to rename OAuth Client to Client though.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com