Sounds good
On 29 November 2015 at 21:27, Marek Posolda <mposolda(a)redhat.com> wrote:
On 27/11/15 11:52, Stian Thorgersen wrote:
Is direct grant and implicit disabled by default?
>
> Implicit is disabled, but direct grant is enabled by default. This is
> just for backwards compatibility, as in 1.6, we have direct grant defacto
> enabled for all clients. If we want to have it disabled by default, we
> should add big note to migration docs. Or we can have it enabled for all
> clients migrated from previous version, but keep the switch "off" in admin
> console for new clients?
>
On for old, off for new works for me.
Thinking that it's a bit tricky... For example if you import
testrealm.json with demo example, the direct grants will be enabled for all
clients, but at the same time the switch for newly created clients will be
disabled. Looks strange to me.
I wonder that for migration, it is more proper to enable direct grants
just for the clients, which have "directGrantsOnly" switch enabled? Those
are most likely clients, which were in previous version used for direct
grants usecase
>
> At least, we have people, who wants to login into admin REST API by
> default (without need to go to admin-console UI first and enable direct
> grant for some client), so I guess this possibility should be still kept.
>
In reality they should not be using the admin console client to do so.
They should create a separate client for it I think. We need to sort out
some sort of bootstrapping for it though. Or maybe we have a admin-cli
client?
+1 for admin-cli client.
So how about this:
- new clients will have "direct access grant" switch off by default
- Clients migrated from previous version will have "direct access grant"
just if they had "direct grants only" enabled. So those clients will have
"standard=off, direct access grants=on"
- New builtin client "admin-cli" will be added to each realm. It will be
public client with "standard=off, implicit=off, directAccessGrants=on" and
will have same scope like current "security-admin-console"
- security-admin-console will have directAccessGrants=off . This will be
done automatically during migration from previous version (as it has
directGrantsOnly=off in 1.6.1).
- Big note will be added to migration guide
Marek