[keycloak-dev] vision vs. infinite configurability

Users want Keycloak to work like their existing solutions. Users have peculiar use cases they need to solve. As engineers, we want to satisfy our customer's needs so we add option after option. This worries me... We have to constantly think about the Keycloak "vision". We need to continually think about how users *should* use Keycloak rather than how they want to use it. Every time we add a new configuration option to keycloak we add complexity. We make keycloak harder to understand and use. We need to keep this in mind as we go forward over the next few months. When customers ask for a new feature we need to ask them or think: * Is there an existing way to do this? * Should we allow this option? * Is there a better way to solve the customer's need? A big one is: Can we enforce specify policies to make Keycloak easier to configure? For example, as a SAML IDP, we can say, sorry, but any SP needs to be able to handle signed saml documets. we don't need to provide the config switch to not sign a document. Get what I mean? BTW, this is why I get so pissy whenever you guys want to add another SPI or config switch. I know how these types of things snowball as a project ages. You can collapse under the weight of them. Having a "vision" helps tremendously as you tell users how they should be doing security rather than just doing whatever they want. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com