On Sun, Mar 26, 2017 at 12:06 PM, Bill Burke <bburke(a)redhat.com> wrote:
Authorization component of Keycloak is really cool and has a strong
core
base of functionality. I think it needs another iteration though
especially around the RESET interface and Java API.
The REST interface is just too complex for anybody to use. I'll give
some examples:
* To create a permission, you must create a PolicyRepresentation.
Policy and Permission are overloaded and its unclear how to use the REST
API to create concepts that exist in the admin console.
* To apply resources and scopes to a permission definition, you
have to
> store a stringified JSON array into a regular JSON map.
> * In java api, Policy and Permission are also overloaded.
In data model
> policy and permission are also overloaded. This makes it really unclear
> how to create a permission vs. just a plain policy.
> Suggestion:
> * Create a PermissionDefinitionRepresentation and pull
core config
> optiosn (scopes, applied policies, resources) into actual fields rather
> than in a generic config map.
As we already discussed in a previous thread, policy management via REST
API is a TODO and we have a JIRA for this. Will work on it this week.
> * Leverage the ComponentModel API to store non-core
configuration, i.e.
> policy type specific information. It supports multi-valued hash maps
> and also has utilities in admin console for rendering this configuration
> data.
+1. Yeah, I really missed this capability. I will review this part of the
code and check how component model works.
> * Create a PermissionDefinition interface in storage API
I'm not willing to change model now .... But we can change the API to start
introducing this.
What do you say ?
> Bill
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev