4:10 a.m.
I think we need to have:
* REST endpoints for admin tasks - managing realms, applications and users - it should be
possible to authenticate to these using TokenService
* REST endpoints for user tasks - login, register, change password, etc. - same again
authenticate using TokenService
* Document all REST endpoints
* Forms for required user actions - register, verify email, reset password, update profile
(for social)
The admin console could be (and should be IMO) separated out completely. To enable it you
would register it as an application with the Keycloak server and configure it in the same
way as you use any other application. This way it can be released separately to the main
Keycloak server (and also deployed separately). I also think we should get rid of the
authentication parts in SaasService and use TokenService instead. This is to reduce the
duplicated effort, and also I think that's the correct approach in either case - the
admin console (and any other consoles, cli, etc.) should just be applications registered
with Keycloak and use public rest endpoints for authentication and to manage
realms/apps/users.
It would be nice to have the user account management pages as well, but this should
definitively be a feature that can be dropped depending on resources and time. Users
can't be expected to use REST endpoints, but admins could (at least for m1, and with
some examples for editing realms, users, etc. with curl).
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 19 September, 2013 2:11:18 AM
Subject: [keycloak-dev] M1 release scope
We need to decide what we want to do for M1. Here's my stab at it.
Let's discuss in email first as much as we can and then have a hangout
sometime next week to go over it and nail things down.
First and foremost. We have to focus. No new features. No playing
around. For example: no adding refresh token support. No client-cert
support. No changes to protocols. No new backends. Let's just use
Picketlink JDBC. No 'forgot password' using SMS, etc... You get the
picture.
Required:
* Social Broker login with as many providers as possible. Minimally
Google and Facebook.
* SSO and SLO (Single Log Out)
* Password and TOTP login
* OAuth Client Grant support
* Example with apps using all o these features
* Keycloak website setup and finalized
* Online video walking through a demonstration of features
* Online video walking though how to configure it
* JBoss 7.1.x Community and JBoss EAP 6.1 support
Knowing this there are two paths we can take. We can either include an
Admin UI in M1 or not. IMO, if we do *NOT* have an Admin UI for M1, we
probably need to not have registration or account management. Here's
what it might look like:
Option #1: No Input UIs
* A read-only XML/JSON file-based backend. Users must edit this to add
users, roles, etc...
* No Admin UI
* No Registration, forgotten passwords, account management. All these
require runtime updates to the database.
* What would we do about social though? As it requires registration?
Work required (time estimates could take shorter or longer depending on
interruptions):
* 1-2 man-weeks to do file-based back-end
* 1-5 days to design the OAuth Grant Pages.
* 1 day to incorporate Grant pages
* Do we want fancier demo apps to show SSO and OAuth Grants? If so,
this is minimum 2 weeks. 1 to get Event Juggler hooked into Keycloak.
1+ weeks to create another related SSO application. 1+ more to create
an OAuth application.
* 1 week to organize the Website and create demo videos.
* 1-2 weeks for documentation
* 1+ weeks to decide and implement how we're going to distribute
keycloak. Will it be a AS7 and/or EAP distro? A WAR? etc...
So best case scenario is end of October. It would minimally require
myself and Gabriel. Others would be needed if we want fancier demo apps
as it is beyond my ability to create a nice looking demo app in a short
period of time.
Option #2: UIs
This would take a lot more work as we would need to finish up the admin,
registration, and account management UIs. I'd say Christmas time would
be a viable M1 release for this. This would require everybody.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev