In Thunderlips, we have a requirement that console applications should
not be required to know where the Keycloak server resides at build
time. Furthermore, an administrator should not need to crack open a WAR
to include this information. Instead, the application should learn
about its environment at deploy time.
Picketlink already has this capability, but I think we can go beyond
what it currently offers. The basic idea for the Keycloak subsystem is
that no application should ever need to define anything about
authentication. At development time, the application should not need to
know anything about Keycloak or really anything about authentication at
all. The application should only need to know about authorization and
the roles it wants to define.
So using the Keycloak subsystem, an application will not be required to use:
* keycloak.json
* jboss-web.xml
* jboss-deployment-structure.xml
(Did I leave anything out? It looks like this is what an app currently
needs to work with Keycloak.)
From the Keycloak admin UI, you will be able to choose an application
and add it to a Keycloak realm. When that application is deployed, the
Keycloak subsystem adds all that used to be defined in keycloak.json,
jboss-web.xml, and jboss-deployment-structure.xml.
The big picture is that a developer never needs to think about
authentication. And an administrators never need to crack open a WAR or
worry about what authentication was built into some WAR he wants to deploy.
WDYT?
Stan