The idea for provider config was:
A provider can have a server-wide config (keycloak-server.json) as well as realm-specific
configs.
Server-wide config would at least initially be configured only through
keycloak-server.json and would also require a server restart. We could look at making this
configurable through admin console as well.
Realm specific config would be configurable through the admin console. You would go to a
"Providers" tab in the admin console, then you'd have a menu that lists out
all SPIs. So you would for example click on Sync. You could then configure which Sync
providers are enabled for the Realm, as well as set configuration for them. With regards
to config I thought key/value would be sufficient, and much simpler to deal with.
With that regards it would probably make sense that KeycloakSession would be bound to a
specific realm so we could create Provider instances with the correct config.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 16 July, 2014 1:59:51 PM
Subject: Re: [keycloak-dev] UserProvider merged
On 7/16/2014 8:47 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Wednesday, 16 July, 2014 1:27:21 PM
>> Subject: Re: [keycloak-dev] UserProvider merged
>>
>>
>>
>> On 7/16/2014 4:23 AM, Stian Thorgersen wrote:
>>>> * JPA and Mongo RealmEntity and UserEntity should be refactored to be
>>>> attribute based as in the Hybrid model. As Stian suggested, this will
>>>> allow us flexibility in the future.
>>>
>>> I'd also like to have a generic configuration mechanism for providers.
>>> This
>>> would include being able to store configuration as well as change it
>>> through the admin console.
>>>
>>> Potentially something I could work on while you guys do sync?
>>>
>>
>> This would overlap with sync refactor. Just a thought, except for our
>> base LDAP support, would we want generic config mechanism in admin
>> console? What if user needs something more than name/value pairs for
>> config?
>
Re-reading what you wrote, maybe I misunderstood? You want a generic
way to store and manage keycloak-server.json through admin console?
> Generic config mechanism for sync you mean?
>
Yes.
I think sync is in two parts:
* A UserProvider. For on-demand sync.
* A "chron job" for periodic bulk sync.
Both would want generic config mechanism and realm-specific storage for
this config.
> I was thinking it would be nice to have something available to all SPIs and
> providers. Name/value pairs would be simplest with regards to storing and
> also editing through the admin console.
>
What are the security implications of this in a multi-tenant
environment? Might not want a specific realm admin to be able to modify
keycloak-server.json
What about just allowing user to enter in Json?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com