Sounds good to me with the exception of the admin console stuff. I don't think adding
pages to the admin console this way is very elegant. If we're aiming to make the admin
console extensible we should look at UberFire or Hawt to achieve this. However, I think a
much simpler way to achieve the same goal is to add a generic configuration mechanism for
providers, which would just consist of a key/value map. The provider would also return a
list of what keys should be configured.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Saturday, 19 July, 2014 3:05:27 AM
Subject: [keycloak-dev] AuthProvider refactor details
I reviewed Marek's code. The refactor is going to be pretty much
Marek's code except reorganized a little bit. Hopefully you can follow
what I'm saying. I'll try and follow up with code in a few days.
* AuthProvider is going to turn into FederationProvider which is an
extension of UserProvider
public interface FederationProvider extends UserProvider {
String getAdminPage();
Class<? extends FederatonAdmin> getAdminClass();
UserModel proxy(UserModel localUser);
}
* AuthenticationProviderManager is going to turn into a concrete class
which implements UserProvider, FederationManager. It will basically do
the same algorithm as AuthProviderManager for finding users (looping
through the realm's configured FederationProviders), except it will be
using the UserProvider interface and returning UserModels.
- UserModel getXXX() methods will search within "local" storage first
for a user.
- If exists, it will look at the UserModel.getProvider() attribute to
learn which provider to use. Then call FederationProvider.proxy()
method. This will allow the FederationProvider to proxy the UserModel
so it can perform on demand sync.
* KeycloakSession will allocate a FederationManager and wrap it with a
CacheUserProvider instead of getting the "local" user storage provider.
* LDAP/Picketlink code will turn into a set of abstract classes used to
build the LDAPFederationProvider.
- getXXX will try to locate in LDAP store. If exists, it will import
the user into the "local" storage UserModel. It will create a proxy to
this local storage. This proxy will allow on-demand sync.
Configuration:
* AuthentiationProviderModel will be renamed to FederationProviderModel.
RealmModel will also return a list of these
* LDAP code will not use Realm.getLdapConfig(). It will instead use
FederationProviderModel config.
Management:
* Federation configuration will move from the Realm Settings page, to
the Users page.
* getAdminPage and getAdminClass exist so that FederationProvider
plugins can plug-in their own admin console UI and REST API.
* FederationProvider.getAdminPage() will point to a admin console path.
When adding a FederationProvider, the admin console will load this
page for setup/config.
* The FederationProvider.getAdminClass() method will return a JAX-RS
resource locator class that implements
interface FederationAdmin {
void setAdmin(UserModel admin);
void setSession(Keycloak session);
void setRealm(RealmModel realm);
}
* The admin class will be instantiated when invoking REST calls to
.../realms/{realm}/users/providers/{provider-name}/...
That's it in a nutshell. I haven't implemented any of this, its just in
my head and there's probably a lot of details I've overlooked that I'll
figure out when I code.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev