7:16 p.m.
Hi Pedro,
I'm migrating from Picketlink, but I haven't found the way to use fine-grained
permissions, Could u give me some advice on this ?
Thanks,
Cristhian.
2:24 p.m.
New subject: Authz Model Implementation
Hey Crhisthian,
As Bill said, we are working on an Authz Server for Keycloak in order to provide
fine-grained permissions. It is still a working in progress, although we already have a
baseline for a first release which will happen very soon.
From a migration perspective, while PL provides a rich Permission Java API, Keycloak
will provide a distributable authorization server based on a RESTful API to manage
resources, policies, evaluate policies, obtain entitlements and plus other goodies. In
other words, Keycloak will become a PAP (Policy Administration Point), a PDP (Policy
Decision Point) and a Entitlements Server. Everything based on OpenID Connect (and of
course, oAuth2).
As you know, Keycloak is a feature rich, OOTB and easy to use security as a service
solution. We are considering these same premises for the authz server, so you can protect
web apps, RESTful APIs or any other resources very easily. For instance, you'll be
able to write policies using JBoss Drools, EL and easily extend your existing oAuth2
clients in order ask for permissions or enforce them (in case your client acts as a
resource server).
I'm afraid there will be no "migragration path" between PL and KC, at
this sense. But we can work together to make this migration easier. For instance, we are
going to provide a Protection API which can be used to manage resources and policies
remotely.
Regards.
Pedro Igor
----- Original Message -----
From: "Cristhian Camilo Lopez" <calovi86(a)gmail.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Sunday, October 18, 2015 3:16:30 PM
Subject: Re: [keycloak-dev] Authz Model Implementation
Hi Pedro,
I'm migrating from Picketlink, but I haven't found the way to use fine-grained
permissions, Could u give me some advice on this ?
Thanks,
Cristhian.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2:45 p.m.
New subject: Authz Model Implementation
Then KC will not have a model in the style of the PL?
This means that those who used the PL hoping that everything in it was in
KC turned out to have a framework discontinued and with no more updates?
Or the PL as it exists today will continue to be developed and there will
be a plus integration with KC?
I am very confused by the merge of the projects, it appears that the
security of my system already died before were born.
at.,
*Arthur P. Gregório*
*+55 45 9958-0302*
@gregorioarthur
www.arthurgregorio.eti.br
2015-10-19 10:24 GMT-02:00 Pedro Igor Silva <psilva(a)redhat.com>:
Hey Crhisthian,
As Bill said, we are working on an Authz Server for Keycloak in order
to provide fine-grained permissions. It is still a working in progress,
although we already have a baseline for a first release which will happen
very soon.
From a migration perspective, while PL provides a rich Permission Java
API, Keycloak will provide a distributable authorization server based on a
RESTful API to manage resources, policies, evaluate policies, obtain
entitlements and plus other goodies. In other words, Keycloak will become a
PAP (Policy Administration Point), a PDP (Policy Decision Point) and a
Entitlements Server. Everything based on OpenID Connect (and of course,
oAuth2).
As you know, Keycloak is a feature rich, OOTB and easy to use security
as a service solution. We are considering these same premises for the authz
server, so you can protect web apps, RESTful APIs or any other resources
very easily. For instance, you'll be able to write policies using JBoss
Drools, EL and easily extend your existing oAuth2 clients in order ask for
permissions or enforce them (in case your client acts as a resource server).
I'm afraid there will be no "migragration path" between PL and KC, at
this sense. But we can work together to make this migration easier. For
instance, we are going to provide a Protection API which can be used to
manage resources and policies remotely.
Regards.
Pedro Igor
----- Original Message -----
From: "Cristhian Camilo Lopez" <calovi86(a)gmail.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Sunday, October 18, 2015 3:16:30 PM
Subject: Re: [keycloak-dev] Authz Model Implementation
Hi Pedro,
I'm migrating from Picketlink, but I haven't found the way to use
fine-grained permissions, Could u give me some advice on this ?
Thanks,
Cristhian.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:56 p.m.
New subject: Authz Model Implementation
Thanks for your clear answer Pedro, I understand the vision that KC is aiming to achieve
and now I know what requirements I’m going to be able to cover with the KC approach.
Also, following the Arthur concerns, IMO the in-house security solutions that were built
using PL are going to follow a different path from KC and will have to be maintained with
resources inside the company or they can extend the SPI that will be provided by KC and
this still will require a high inside resources demand.
I think KC will work for my needs and I will be interested in contributing if it’s
possible. I’m looking forward to test the Authz server.
Regards,
Cristhian.
On Oct 19, 2015, at 7:45 AM, Arthur Gregório
<arthurshakal(a)gmail.com> wrote:
Then KC will not have a model in the style of the PL?
This means that those who used the PL hoping that everything in it was in KC turned out
to have a framework discontinued and with no more updates?
Or the PL as it exists today will continue to be developed and there will be a plus
integration with KC?
I am very confused by the merge of the projects, it appears that the security of my
system already died before were born.
at.,
Arthur P. Gregório
+55 45 9958-0302
@gregorioarthur
www.arthurgregorio.eti.br <http://www.arthurgregorio.eti.br/>
2015-10-19 10:24 GMT-02:00 Pedro Igor Silva <psilva(a)redhat.com
<mailto:psilva@redhat.com>>:
Hey Crhisthian,
As Bill said, we are working on an Authz Server for Keycloak in order to provide
fine-grained permissions. It is still a working in progress, although we already have a
baseline for a first release which will happen very soon.
From a migration perspective, while PL provides a rich Permission Java API, Keycloak
will provide a distributable authorization server based on a RESTful API to manage
resources, policies, evaluate policies, obtain entitlements and plus other goodies. In
other words, Keycloak will become a PAP (Policy Administration Point), a PDP (Policy
Decision Point) and a Entitlements Server. Everything based on OpenID Connect (and of
course, oAuth2).
As you know, Keycloak is a feature rich, OOTB and easy to use security as a service
solution. We are considering these same premises for the authz server, so you can protect
web apps, RESTful APIs or any other resources very easily. For instance, you'll be
able to write policies using JBoss Drools, EL and easily extend your existing oAuth2
clients in order ask for permissions or enforce them (in case your client acts as a
resource server).
I'm afraid there will be no "migragration path" between PL and KC, at
this sense. But we can work together to make this migration easier. For instance, we are
going to provide a Protection API which can be used to manage resources and policies
remotely.
Regards.
Pedro Igor
----- Original Message -----
From: "Cristhian Camilo Lopez" <calovi86(a)gmail.com
<mailto:calovi86@gmail.com>>
To: keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
Sent: Sunday, October 18, 2015 3:16:30 PM
Subject: Re: [keycloak-dev] Authz Model Implementation
Hi Pedro,
I'm migrating from Picketlink, but I haven't found the way to use fine-grained
permissions, Could u give me some advice on this ?
Thanks,
Cristhian.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
<https://lists.jboss.org/mailman/listinfo/keycloak-dev>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
<https://lists.jboss.org/mailman/listinfo/keycloak-dev>
4:15 p.m.
New subject: Authz Model Implementation
A lot of the PL APIs are going to go away. We want tight and focused
SPIs that leverage the rest of the Keycloak platform and vision. Not
broad generic APIs for rolling your own SSO solution. We want something
out of the box that for most cases a user doesn't have to be a Java
programmer to use and deploy Keycloak. You just have to have a focused
and specific security model to provide an out of the box solution and
focused vision.
That being said, what we've learned is that developers have broad and
different requirements when it comes to authorization and permissions.
This is where an API, backed by the authz server, would be very useful.
Pedro was involved with PLs permission APIs and I'm confident he has
some really good ideas for evolving it.
On 10/19/2015 8:45 AM, Arthur Gregório wrote:
Then KC will not have a model in the style of the PL?
This means that those who used the PL hoping that everything in it was
in KC turned out to have a framework discontinued and with no more updates?
Or the PL as it exists today will continue to be developed and there
will be a plus integration with KC?
I am very confused by the merge of the projects, it appears that the
security of my system already died before were born.
at.,
*Arthur P. Gregório*
/+55 45 9958-0302/
@gregorioarthur
www.arthurgregorio.eti.br <http://www.arthurgregorio.eti.br>
2015-10-19 10:24 GMT-02:00 Pedro Igor Silva <psilva(a)redhat.com
<mailto:psilva@redhat.com>>:
Hey Crhisthian,
As Bill said, we are working on an Authz Server for Keycloak in
order to provide fine-grained permissions. It is still a working in
progress, although we already have a baseline for a first release
which will happen very soon.
From a migration perspective, while PL provides a rich
Permission Java API, Keycloak will provide a distributable
authorization server based on a RESTful API to manage resources,
policies, evaluate policies, obtain entitlements and plus other
goodies. In other words, Keycloak will become a PAP (Policy
Administration Point), a PDP (Policy Decision Point) and a
Entitlements Server. Everything based on OpenID Connect (and of
course, oAuth2).
As you know, Keycloak is a feature rich, OOTB and easy to use
security as a service solution. We are considering these same
premises for the authz server, so you can protect web apps, RESTful
APIs or any other resources very easily. For instance, you'll be
able to write policies using JBoss Drools, EL and easily extend your
existing oAuth2 clients in order ask for permissions or enforce them
(in case your client acts as a resource server).
I'm afraid there will be no "migragration path" between PL and
KC, at this sense. But we can work together to make this migration
easier. For instance, we are going to provide a Protection API which
can be used to manage resources and policies remotely.
Regards.
Pedro Igor
----- Original Message -----
From: "Cristhian Camilo Lopez" <calovi86(a)gmail.com
<mailto:calovi86@gmail.com>>
To: keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
Sent: Sunday, October 18, 2015 3:16:30 PM
Subject: Re: [keycloak-dev] Authz Model Implementation
Hi Pedro,
I'm migrating from Picketlink, but I haven't found the way to use
fine-grained permissions, Could u give me some advice on this ?
Thanks,
Cristhian.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
7:01 p.m.
New subject: Authz Model Implementation
Hey Arthur,
Please, take a look at this announcement [1] for more details about the merge.
[1] http://picketlink.org/news/2015/03/10/PicketLink-and-Keycloak-project-merge/
Regards.
Pedro Igor
----- Original Message -----
From: "Arthur Gregório" <arthurshakal(a)gmail.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: "Cristhian Camilo Lopez" <calovi86(a)gmail.com>,
keycloak-dev(a)lists.jboss.org
Sent: Monday, October 19, 2015 10:45:24 AM
Subject: Re: [keycloak-dev] Authz Model Implementation
Then KC will not have a model in the style of the PL?
This means that those who used the PL hoping that everything in it was in
KC turned out to have a framework discontinued and with no more updates?
Or the PL as it exists today will continue to be developed and there will
be a plus integration with KC?
I am very confused by the merge of the projects, it appears that the
security of my system already died before were born.
at.,
*Arthur P. Gregório*
*+55 45 9958-0302*
@gregorioarthur
www.arthurgregorio.eti.br
2015-10-19 10:24 GMT-02:00 Pedro Igor Silva <psilva(a)redhat.com>:
Hey Crhisthian,
As Bill said, we are working on an Authz Server for Keycloak in order
to provide fine-grained permissions. It is still a working in progress,
although we already have a baseline for a first release which will happen
very soon.
From a migration perspective, while PL provides a rich Permission Java
API, Keycloak will provide a distributable authorization server based on a
RESTful API to manage resources, policies, evaluate policies, obtain
entitlements and plus other goodies. In other words, Keycloak will become a
PAP (Policy Administration Point), a PDP (Policy Decision Point) and a
Entitlements Server. Everything based on OpenID Connect (and of course,
oAuth2).
As you know, Keycloak is a feature rich, OOTB and easy to use security
as a service solution. We are considering these same premises for the authz
server, so you can protect web apps, RESTful APIs or any other resources
very easily. For instance, you'll be able to write policies using JBoss
Drools, EL and easily extend your existing oAuth2 clients in order ask for
permissions or enforce them (in case your client acts as a resource server).
I'm afraid there will be no "migragration path" between PL and KC, at
this sense. But we can work together to make this migration easier. For
instance, we are going to provide a Protection API which can be used to
manage resources and policies remotely.
Regards.
Pedro Igor
----- Original Message -----
From: "Cristhian Camilo Lopez" <calovi86(a)gmail.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Sunday, October 18, 2015 3:16:30 PM
Subject: Re: [keycloak-dev] Authz Model Implementation
Hi Pedro,
I'm migrating from Picketlink, but I haven't found the way to use
fine-grained permissions, Could u give me some advice on this ?
Thanks,
Cristhian.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3389
days inactive
3390
days old
5 comments
5 participants
participants (5)
-
Arthur Gregório -
Bill Burke -
Cristhian Camilo Lopez -
Cristhian Lopez
-
Pedro Igor Silva