+1000
This would simplify a lot of things. Currently, even though I know the code pretty well, I still get confused when it comes to admin roles, master admin clients and all that jazz.
It would also simplify the admin endpoints and we can drop "realms" from urls. We could also drop "auth" from urls on the standalone Keycloak server. That would make URLs nicer. So it would be:
/<realm name>/protocol/openid-connect/
/<realm name>/admin
Instead of what we have atm:
/auth/realms/<realm name>/protocol/openid-connect/
/auth/realms/<realm name>/admin
I think we should have a dedicated create-realm role, rather than allow admin to do it. We should make it possible to enable/disable realm creation from within a specific realm.
One question with regards to trust users from one realm to another, how would you manage role permissions? I think all permissions from one realm should be managed within the realm. We should also hide the security-admin-console from the clients list.
We also need to figure out how to prevent the admin escalation problem we have. It should be possible to configure what roles a specific admin is allowed to grant to users.
One question though. Instead of having many changes in 1.8 would it make more sense to just say enough is enough. Let's get started on 2.x and be a bit more free with breaking backwards compatibility. Then in 2.x we could:
* Improve SPIs - especially model SPIs and user federation SPIs
* Remove master realm
* Add role namespaces
* Clean-up URLs
* Clean-up admin endpoints
* Etc...