6:23 a.m.
Our URLs are quite long, examples:
* http://localhost:8080/auth/realms/master/protocols/openid-connect/login
* http://localhost:8080/auth/realms/master/account
We could remove the 'realms' part and 'protocols' parts couldn't we?
* http://localhost:8080/auth/master/oidc/login
* http://localhost:8080/auth/master/account
That would require moving everything under a realm and I guess we'd need to hard-wire
the protocols, but I think that should be fine.
We also need to make sure we can just the root context:
* http://localhost:8080/master/oidc/login
* http://localhost:8080/master/account
We can also introduce other mechanisms to select the realm. For example a server with
single realm can just omit it altogether:
* http://localhost:8080/oidc/login
* http://localhost:8080/account
And we could allow setting what domains uses what realms:
* http://keycloak-master/oidc/login
* http://keycloak-other/oidc/login
8:01 a.m.
I like the idea of an option to bind the auth server to the root
context. I think that would be especially good for the appliance dist.
But I'm not sure about the rest. What is the problem we are solving?
On 1/23/2015 6:23 AM, Stian Thorgersen wrote:
Our URLs are quite long, examples:
* http://localhost:8080/auth/realms/master/protocols/openid-connect/login
* http://localhost:8080/auth/realms/master/account
We could remove the 'realms' part and 'protocols' parts couldn't we?
* http://localhost:8080/auth/master/oidc/login
* http://localhost:8080/auth/master/account
That would require moving everything under a realm and I guess we'd need to hard-wire
the protocols, but I think that should be fine.
We also need to make sure we can just the root context:
* http://localhost:8080/master/oidc/login
* http://localhost:8080/master/account
We can also introduce other mechanisms to select the realm. For example a server with
single realm can just omit it altogether:
* http://localhost:8080/oidc/login
* http://localhost:8080/account
And we could allow setting what domains uses what realms:
* http://keycloak-master/oidc/login
* http://keycloak-other/oidc/login
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:06 a.m.
----- Original Message -----
From: "Stan Silvert" <ssilvert(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, January 23, 2015 2:01:23 PM
Subject: Re: [keycloak-dev] Shortening URLs
I like the idea of an option to bind the auth server to the root
context. I think that would be especially good for the appliance dist.
But I'm not sure about the rest. What is the problem we are solving?
Shorter and easier to remember URLs ;)
At least one the account will be something that users access directly.
On 1/23/2015 6:23 AM, Stian Thorgersen wrote:
> Our URLs are quite long, examples:
>
> * http://localhost:8080/auth/realms/master/protocols/openid-connect/login
> * http://localhost:8080/auth/realms/master/account
>
> We could remove the 'realms' part and 'protocols' parts couldn't
we?
>
> * http://localhost:8080/auth/master/oidc/login
> * http://localhost:8080/auth/master/account
>
> That would require moving everything under a realm and I guess we'd need to
> hard-wire the protocols, but I think that should be fine.
>
> We also need to make sure we can just the root context:
>
> * http://localhost:8080/master/oidc/login
> * http://localhost:8080/master/account
>
> We can also introduce other mechanisms to select the realm. For example a
> server with single realm can just omit it altogether:
>
> * http://localhost:8080/oidc/login
> * http://localhost:8080/account
>
> And we could allow setting what domains uses what realms:
>
> * http://keycloak-master/oidc/login
> * http://keycloak-other/oidc/login
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:10 a.m.
On 1/23/2015 8:06 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Stan Silvert" <ssilvert(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Friday, January 23, 2015 2:01:23 PM
> Subject: Re: [keycloak-dev] Shortening URLs
>
> I like the idea of an option to bind the auth server to the root
> context. I think that would be especially good for the appliance dist.
>
> But I'm not sure about the rest. What is the problem we are solving?
Shorter and easier to remember URLs ;)
At least one the account will be something that users access directly.
Which one is
the URL that they will need to remember? Maybe we could
make an alias.
> On 1/23/2015 6:23 AM, Stian Thorgersen wrote:
>> Our URLs are quite long, examples:
>>
>> * http://localhost:8080/auth/realms/master/protocols/openid-connect/login
>> * http://localhost:8080/auth/realms/master/account
>>
>> We could remove the 'realms' part and 'protocols' parts
couldn't we?
>>
>> * http://localhost:8080/auth/master/oidc/login
>> * http://localhost:8080/auth/master/account
>>
>> That would require moving everything under a realm and I guess we'd need to
>> hard-wire the protocols, but I think that should be fine.
>>
>> We also need to make sure we can just the root context:
>>
>> * http://localhost:8080/master/oidc/login
>> * http://localhost:8080/master/account
>>
>> We can also introduce other mechanisms to select the realm. For example a
>> server with single realm can just omit it altogether:
>>
>> * http://localhost:8080/oidc/login
>> * http://localhost:8080/account
>>
>> And we could allow setting what domains uses what realms:
>>
>> * http://keycloak-master/oidc/login
>> * http://keycloak-other/oidc/login
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
8:20 a.m.
----- Original Message -----
From: "Stan Silvert" <ssilvert(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Friday, January 23, 2015 2:10:00 PM
Subject: Re: [keycloak-dev] Shortening URLs
On 1/23/2015 8:06 AM, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Stan Silvert" <ssilvert(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Friday, January 23, 2015 2:01:23 PM
>> Subject: Re: [keycloak-dev] Shortening URLs
>>
>> I like the idea of an option to bind the auth server to the root
>> context. I think that would be especially good for the appliance dist.
>>
>> But I'm not sure about the rest. What is the problem we are solving?
> Shorter and easier to remember URLs ;)
>
> At least one the account will be something that users access directly.
Which one is the URL that they will need to remember? Maybe we could
make an alias.
Account is accessible by users directly:
- http://localhost:8080/auth/realms/master/account
BTW why not change it? If it can make things simpler for users. Devs that don't use
our adapters, but use standard openid connect libs for example, will need to figure out
all urls and configure them in the lib their using.
>
>> On 1/23/2015 6:23 AM, Stian Thorgersen wrote:
>>> Our URLs are quite long, examples:
>>>
>>> * http://localhost:8080/auth/realms/master/protocols/openid-connect/login
>>> * http://localhost:8080/auth/realms/master/account
>>>
>>> We could remove the 'realms' part and 'protocols' parts
couldn't we?
>>>
>>> * http://localhost:8080/auth/master/oidc/login
>>> * http://localhost:8080/auth/master/account
>>>
>>> That would require moving everything under a realm and I guess we'd
need
>>> to
>>> hard-wire the protocols, but I think that should be fine.
>>>
>>> We also need to make sure we can just the root context:
>>>
>>> * http://localhost:8080/master/oidc/login
>>> * http://localhost:8080/master/account
>>>
>>> We can also introduce other mechanisms to select the realm. For example a
>>> server with single realm can just omit it altogether:
>>>
>>> * http://localhost:8080/oidc/login
>>> * http://localhost:8080/account
>>>
>>> And we could allow setting what domains uses what realms:
>>>
>>> * http://keycloak-master/oidc/login
>>> * http://keycloak-other/oidc/login
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
8:25 a.m.
+1. And for OIDC endpoints, we still need to review them some time.
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
Sent: Friday, January 23, 2015 9:23:54 AM
Subject: [keycloak-dev] Shortening URLs
Our URLs are quite long, examples:
* http://localhost:8080/auth/realms/master/protocols/openid-connect/login
* http://localhost:8080/auth/realms/master/account
We could remove the 'realms' part and 'protocols' parts couldn't we?
* http://localhost:8080/auth/master/oidc/login
* http://localhost:8080/auth/master/account
That would require moving everything under a realm and I guess we'd need to hard-wire
the protocols, but I think that should be fine.
We also need to make sure we can just the root context:
* http://localhost:8080/master/oidc/login
* http://localhost:8080/master/account
We can also introduce other mechanisms to select the realm. For example a server with
single realm can just omit it altogether:
* http://localhost:8080/oidc/login
* http://localhost:8080/account
And we could allow setting what domains uses what realms:
* http://keycloak-master/oidc/login
* http://keycloak-other/oidc/login
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:27 a.m.
However, I think we may need to keep /auth. It may be useful to reference the whole server
regardless a specific realm.
----- Original Message -----
From: "Pedro Igor Silva" <psilva(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
Sent: Friday, January 23, 2015 11:25:34 AM
Subject: Re: [keycloak-dev] Shortening URLs
+1. And for OIDC endpoints, we still need to review them some time.
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
Sent: Friday, January 23, 2015 9:23:54 AM
Subject: [keycloak-dev] Shortening URLs
Our URLs are quite long, examples:
* http://localhost:8080/auth/realms/master/protocols/openid-connect/login
* http://localhost:8080/auth/realms/master/account
We could remove the 'realms' part and 'protocols' parts couldn't we?
* http://localhost:8080/auth/master/oidc/login
* http://localhost:8080/auth/master/account
That would require moving everything under a realm and I guess we'd need to hard-wire
the protocols, but I think that should be fine.
We also need to make sure we can just the root context:
* http://localhost:8080/master/oidc/login
* http://localhost:8080/master/account
We can also introduce other mechanisms to select the realm. For example a server with
single realm can just omit it altogether:
* http://localhost:8080/oidc/login
* http://localhost:8080/account
And we could allow setting what domains uses what realms:
* http://keycloak-master/oidc/login
* http://keycloak-other/oidc/login
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:32 a.m.
----- Original Message -----
From: "Pedro Igor Silva" <psilva(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
Sent: Friday, January 23, 2015 2:27:19 PM
Subject: Re: [keycloak-dev] Shortening URLs
However, I think we may need to keep /auth. It may be useful to reference the
whole server regardless a specific realm.
/auth isn't needed if Keycloak is running as a separate server and has it's own
domain for example https://auth.acme.org
----- Original Message -----
From: "Pedro Igor Silva" <psilva(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
Sent: Friday, January 23, 2015 11:25:34 AM
Subject: Re: [keycloak-dev] Shortening URLs
+1. And for OIDC endpoints, we still need to review them some time.
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
Sent: Friday, January 23, 2015 9:23:54 AM
Subject: [keycloak-dev] Shortening URLs
Our URLs are quite long, examples:
* http://localhost:8080/auth/realms/master/protocols/openid-connect/login
* http://localhost:8080/auth/realms/master/account
We could remove the 'realms' part and 'protocols' parts couldn't we?
* http://localhost:8080/auth/master/oidc/login
* http://localhost:8080/auth/master/account
That would require moving everything under a realm and I guess we'd need to
hard-wire the protocols, but I think that should be fine.
We also need to make sure we can just the root context:
* http://localhost:8080/master/oidc/login
* http://localhost:8080/master/account
We can also introduce other mechanisms to select the realm. For example a
server with single realm can just omit it altogether:
* http://localhost:8080/oidc/login
* http://localhost:8080/account
And we could allow setting what domains uses what realms:
* http://keycloak-master/oidc/login
* http://keycloak-other/oidc/login
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:43 a.m.
On 1/23/2015 8:27 AM, Pedro Igor Silva wrote:
However, I think we may need to keep /auth. It may be useful to
reference the whole server regardless a specific realm.
auth can just be the root
context. You can do that with Keycloak
today. But we could make it easier to configure it.
----- Original Message -----
From: "Pedro Igor Silva" <psilva(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
Sent: Friday, January 23, 2015 11:25:34 AM
Subject: Re: [keycloak-dev] Shortening URLs
+1. And for OIDC endpoints, we still need to review them some time.
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
Sent: Friday, January 23, 2015 9:23:54 AM
Subject: [keycloak-dev] Shortening URLs
Our URLs are quite long, examples:
* http://localhost:8080/auth/realms/master/protocols/openid-connect/login
* http://localhost:8080/auth/realms/master/account
We could remove the 'realms' part and 'protocols' parts couldn't we?
* http://localhost:8080/auth/master/oidc/login
* http://localhost:8080/auth/master/account
That would require moving everything under a realm and I guess we'd need to hard-wire
the protocols, but I think that should be fine.
We also need to make sure we can just the root context:
* http://localhost:8080/master/oidc/login
* http://localhost:8080/master/account
We can also introduce other mechanisms to select the realm. For example a server with
single realm can just omit it altogether:
* http://localhost:8080/oidc/login
* http://localhost:8080/account
And we could allow setting what domains uses what realms:
* http://keycloak-master/oidc/login
* http://keycloak-other/oidc/login
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:45 a.m.
I'm just thinking that we need to be careful about future name
collisions. For instance, if we need a URL that applies to the entire
auth server and we name it "foo" you would get a URL like this:
http://localhost:8080/auth/foo/
Then without the "realms" part of the URL someone could name their realm
foo and you would get a collision.
So if it's something the user needs to remember, let's make it super easy:
http://foo.com/stan
Of course then we would need to either enforce that they only create one
realm So for multiple realms we could make it:
http://realm.foo.com/stan
On 1/23/2015 8:20 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Stan Silvert" <ssilvert(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Friday, January 23, 2015 2:10:00 PM
> Subject: Re: [keycloak-dev] Shortening URLs
>
> On 1/23/2015 8:06 AM, Stian Thorgersen wrote:
>> ----- Original Message -----
>>> From: "Stan Silvert" <ssilvert(a)redhat.com>
>>> To: keycloak-dev(a)lists.jboss.org
>>> Sent: Friday, January 23, 2015 2:01:23 PM
>>> Subject: Re: [keycloak-dev] Shortening URLs
>>>
>>> I like the idea of an option to bind the auth server to the root
>>> context. I think that would be especially good for the appliance dist.
>>>
>>> But I'm not sure about the rest. What is the problem we are solving?
>> Shorter and easier to remember URLs ;)
>>
>> At least one the account will be something that users access directly.
> Which one is the URL that they will need to remember? Maybe we could
> make an alias.
Account is accessible by users directly:
- http://localhost:8080/auth/realms/master/account
BTW why not change it? If it can make things simpler for users. Devs that don't use
our adapters, but use standard openid connect libs for example, will need to figure out
all urls and configure them in the lib their using.
>>> On 1/23/2015 6:23 AM, Stian Thorgersen wrote:
>>>> Our URLs are quite long, examples:
>>>>
>>>> *
http://localhost:8080/auth/realms/master/protocols/openid-connect/login
>>>> * http://localhost:8080/auth/realms/master/account
>>>>
>>>> We could remove the 'realms' part and 'protocols' parts
couldn't we?
>>>>
>>>> * http://localhost:8080/auth/master/oidc/login
>>>> * http://localhost:8080/auth/master/account
>>>>
>>>> That would require moving everything under a realm and I guess we'd
need
>>>> to
>>>> hard-wire the protocols, but I think that should be fine.
>>>>
>>>> We also need to make sure we can just the root context:
>>>>
>>>> * http://localhost:8080/master/oidc/login
>>>> * http://localhost:8080/master/account
>>>>
>>>> We can also introduce other mechanisms to select the realm. For example
a
>>>> server with single realm can just omit it altogether:
>>>>
>>>> * http://localhost:8080/oidc/login
>>>> * http://localhost:8080/account
>>>>
>>>> And we could allow setting what domains uses what realms:
>>>>
>>>> * http://keycloak-master/oidc/login
>>>> * http://keycloak-other/oidc/login
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>
8:47 a.m.
On 1/23/2015 8:45 AM, Stan Silvert wrote:
So if it's something the user needs to remember, let's make
it super easy:
http://foo.com/stan
Of course then we would need to either enforce that they only create one
realm So for multiple realms we could make it:
http://realm.foo.com/stan
I mean http://realmname.foo.com
On 1/23/2015 8:20 AM, Stian Thorgersen wrote:
> ----- Original Message -----
>> From: "Stan Silvert" <ssilvert(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Friday, January 23, 2015 2:10:00 PM
>> Subject: Re: [keycloak-dev] Shortening URLs
>>
>> On 1/23/2015 8:06 AM, Stian Thorgersen wrote:
>>> ----- Original Message -----
>>>> From: "Stan Silvert" <ssilvert(a)redhat.com>
>>>> To: keycloak-dev(a)lists.jboss.org
>>>> Sent: Friday, January 23, 2015 2:01:23 PM
>>>> Subject: Re: [keycloak-dev] Shortening URLs
>>>>
>>>> I like the idea of an option to bind the auth server to the root
>>>> context. I think that would be especially good for the appliance dist.
>>>>
>>>> But I'm not sure about the rest. What is the problem we are
solving?
>>> Shorter and easier to remember URLs ;)
>>>
>>> At least one the account will be something that users access directly.
>> Which one is the URL that they will need to remember? Maybe we could
>> make an alias.
> Account is accessible by users directly:
> - http://localhost:8080/auth/realms/master/account
>
> BTW why not change it? If it can make things simpler for users. Devs that don't
use our adapters, but use standard openid connect libs for example, will need to figure
out all urls and configure them in the lib their using.
>
>>>> On 1/23/2015 6:23 AM, Stian Thorgersen wrote:
>>>>> Our URLs are quite long, examples:
>>>>>
>>>>> *
http://localhost:8080/auth/realms/master/protocols/openid-connect/login
>>>>> * http://localhost:8080/auth/realms/master/account
>>>>>
>>>>> We could remove the 'realms' part and 'protocols'
parts couldn't we?
>>>>>
>>>>> * http://localhost:8080/auth/master/oidc/login
>>>>> * http://localhost:8080/auth/master/account
>>>>>
>>>>> That would require moving everything under a realm and I guess
we'd need
>>>>> to
>>>>> hard-wire the protocols, but I think that should be fine.
>>>>>
>>>>> We also need to make sure we can just the root context:
>>>>>
>>>>> * http://localhost:8080/master/oidc/login
>>>>> * http://localhost:8080/master/account
>>>>>
>>>>> We can also introduce other mechanisms to select the realm. For
example a
>>>>> server with single realm can just omit it altogether:
>>>>>
>>>>> * http://localhost:8080/oidc/login
>>>>> * http://localhost:8080/account
>>>>>
>>>>> And we could allow setting what domains uses what realms:
>>>>>
>>>>> * http://keycloak-master/oidc/login
>>>>> * http://keycloak-other/oidc/login
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:49 a.m.
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
Sent: Friday, January 23, 2015 11:32:47 AM
Subject: Re: [keycloak-dev] Shortening URLs
----- Original Message -----
> From: "Pedro Igor Silva" <psilva(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
> Sent: Friday, January 23, 2015 2:27:19 PM
> Subject: Re: [keycloak-dev] Shortening URLs
>
> However, I think we may need to keep /auth. It may be useful to reference
> the
> whole server regardless a specific realm.
/auth isn't needed if Keycloak is running as a separate server and has it's
own domain for example https://auth.acme.org
Yep, if not you may also want to reference a path. But I think that usually you will
prefer a separated server for KC, right ?
Also, how the URLs looks like when you are embedding KC into another project ?
>
> ----- Original Message -----
> From: "Pedro Igor Silva" <psilva(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
> Sent: Friday, January 23, 2015 11:25:34 AM
> Subject: Re: [keycloak-dev] Shortening URLs
>
> +1. And for OIDC endpoints, we still need to review them some time.
>
> ----- Original Message -----
> From: "Stian Thorgersen" <stian(a)redhat.com>
> To: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
> Sent: Friday, January 23, 2015 9:23:54 AM
> Subject: [keycloak-dev] Shortening URLs
>
> Our URLs are quite long, examples:
>
> * http://localhost:8080/auth/realms/master/protocols/openid-connect/login
> * http://localhost:8080/auth/realms/master/account
>
> We could remove the 'realms' part and 'protocols' parts couldn't
we?
>
> * http://localhost:8080/auth/master/oidc/login
> * http://localhost:8080/auth/master/account
>
> That would require moving everything under a realm and I guess we'd need to
> hard-wire the protocols, but I think that should be fine.
>
> We also need to make sure we can just the root context:
>
> * http://localhost:8080/master/oidc/login
> * http://localhost:8080/master/account
>
> We can also introduce other mechanisms to select the realm. For example a
> server with single realm can just omit it altogether:
>
> * http://localhost:8080/oidc/login
> * http://localhost:8080/account
>
> And we could allow setting what domains uses what realms:
>
> * http://keycloak-master/oidc/login
> * http://keycloak-other/oidc/login
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
8:51 a.m.
----- Original Message -----
From: "Pedro Igor Silva" <psilva(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
Sent: Friday, January 23, 2015 2:49:18 PM
Subject: Re: [keycloak-dev] Shortening URLs
----- Original Message -----
> From: "Stian Thorgersen" <stian(a)redhat.com>
> To: "Pedro Igor Silva" <psilva(a)redhat.com>
> Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
> Sent: Friday, January 23, 2015 11:32:47 AM
> Subject: Re: [keycloak-dev] Shortening URLs
>
>
>
> ----- Original Message -----
> > From: "Pedro Igor Silva" <psilva(a)redhat.com>
> > To: "Stian Thorgersen" <stian(a)redhat.com>
> > Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
> > Sent: Friday, January 23, 2015 2:27:19 PM
> > Subject: Re: [keycloak-dev] Shortening URLs
> >
> > However, I think we may need to keep /auth. It may be useful to reference
> > the
> > whole server regardless a specific realm.
>
> /auth isn't needed if Keycloak is running as a separate server and has it's
> own domain for example https://auth.acme.org
Yep, if not you may also want to reference a path. But I think that usually
you will prefer a separated server for KC, right ?
Also, how the URLs looks like when you are embedding KC into another project
?
That should be configurable by the project, but usually it would be '/auth'
>
> >
> > ----- Original Message -----
> > From: "Pedro Igor Silva" <psilva(a)redhat.com>
> > To: "Stian Thorgersen" <stian(a)redhat.com>
> > Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
> > Sent: Friday, January 23, 2015 11:25:34 AM
> > Subject: Re: [keycloak-dev] Shortening URLs
> >
> > +1. And for OIDC endpoints, we still need to review them some time.
> >
> > ----- Original Message -----
> > From: "Stian Thorgersen" <stian(a)redhat.com>
> > To: "keycloak dev" <keycloak-dev(a)lists.jboss.org>
> > Sent: Friday, January 23, 2015 9:23:54 AM
> > Subject: [keycloak-dev] Shortening URLs
> >
> > Our URLs are quite long, examples:
> >
> > * http://localhost:8080/auth/realms/master/protocols/openid-connect/login
> > * http://localhost:8080/auth/realms/master/account
> >
> > We could remove the 'realms' part and 'protocols' parts
couldn't we?
> >
> > * http://localhost:8080/auth/master/oidc/login
> > * http://localhost:8080/auth/master/account
> >
> > That would require moving everything under a realm and I guess we'd need
> > to
> > hard-wire the protocols, but I think that should be fine.
> >
> > We also need to make sure we can just the root context:
> >
> > * http://localhost:8080/master/oidc/login
> > * http://localhost:8080/master/account
> >
> > We can also introduce other mechanisms to select the realm. For example a
> > server with single realm can just omit it altogether:
> >
> > * http://localhost:8080/oidc/login
> > * http://localhost:8080/account
> >
> > And we could allow setting what domains uses what realms:
> >
> > * http://keycloak-master/oidc/login
> > * http://keycloak-other/oidc/login
> >
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>
8:52 a.m.
----- Original Message -----
From: "Stan Silvert" <ssilvert(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, January 23, 2015 2:47:20 PM
Subject: Re: [keycloak-dev] Shortening URLs
On 1/23/2015 8:45 AM, Stan Silvert wrote:
> So if it's something the user needs to remember, let's make it super easy:
>
> http://foo.com/stan
>
> Of course then we would need to either enforce that they only create one
> realm So for multiple realms we could make it:
>
> http://realm.foo.com/stan
I mean http://realmname.foo.com
I don't think that'll work - if we drop '/realms/' part we would have to
move everything under a realm
>
> On 1/23/2015 8:20 AM, Stian Thorgersen wrote:
>> ----- Original Message -----
>>> From: "Stan Silvert" <ssilvert(a)redhat.com>
>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>> Cc: keycloak-dev(a)lists.jboss.org
>>> Sent: Friday, January 23, 2015 2:10:00 PM
>>> Subject: Re: [keycloak-dev] Shortening URLs
>>>
>>> On 1/23/2015 8:06 AM, Stian Thorgersen wrote:
>>>> ----- Original Message -----
>>>>> From: "Stan Silvert" <ssilvert(a)redhat.com>
>>>>> To: keycloak-dev(a)lists.jboss.org
>>>>> Sent: Friday, January 23, 2015 2:01:23 PM
>>>>> Subject: Re: [keycloak-dev] Shortening URLs
>>>>>
>>>>> I like the idea of an option to bind the auth server to the root
>>>>> context. I think that would be especially good for the appliance
>>>>> dist.
>>>>>
>>>>> But I'm not sure about the rest. What is the problem we are
solving?
>>>> Shorter and easier to remember URLs ;)
>>>>
>>>> At least one the account will be something that users access directly.
>>> Which one is the URL that they will need to remember? Maybe we could
>>> make an alias.
>> Account is accessible by users directly:
>> - http://localhost:8080/auth/realms/master/account
>>
>> BTW why not change it? If it can make things simpler for users. Devs that
>> don't use our adapters, but use standard openid connect libs for example,
>> will need to figure out all urls and configure them in the lib their
>> using.
>>
>>>>> On 1/23/2015 6:23 AM, Stian Thorgersen wrote:
>>>>>> Our URLs are quite long, examples:
>>>>>>
>>>>>> *
>>>>>>
http://localhost:8080/auth/realms/master/protocols/openid-connect/login
>>>>>> * http://localhost:8080/auth/realms/master/account
>>>>>>
>>>>>> We could remove the 'realms' part and
'protocols' parts couldn't we?
>>>>>>
>>>>>> * http://localhost:8080/auth/master/oidc/login
>>>>>> * http://localhost:8080/auth/master/account
>>>>>>
>>>>>> That would require moving everything under a realm and I guess
we'd
>>>>>> need
>>>>>> to
>>>>>> hard-wire the protocols, but I think that should be fine.
>>>>>>
>>>>>> We also need to make sure we can just the root context:
>>>>>>
>>>>>> * http://localhost:8080/master/oidc/login
>>>>>> * http://localhost:8080/master/account
>>>>>>
>>>>>> We can also introduce other mechanisms to select the realm. For
>>>>>> example a
>>>>>> server with single realm can just omit it altogether:
>>>>>>
>>>>>> * http://localhost:8080/oidc/login
>>>>>> * http://localhost:8080/account
>>>>>>
>>>>>> And we could allow setting what domains uses what realms:
>>>>>>
>>>>>> * http://keycloak-master/oidc/login
>>>>>> * http://keycloak-other/oidc/login
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev(a)lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:06 a.m.
On 1/23/2015 8:52 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Stan Silvert" <ssilvert(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Friday, January 23, 2015 2:47:20 PM
> Subject: Re: [keycloak-dev] Shortening URLs
>
> On 1/23/2015 8:45 AM, Stan Silvert wrote:
>> So if it's something the user needs to remember, let's make it super
easy:
>>
>> http://foo.com/stan
>>
>> Of course then we would need to either enforce that they only create one
>> realm So for multiple realms we could make it:
>>
>> http://realm.foo.com/stan
> I mean http://realmname.foo.com
I don't think that'll work - if we drop '/realms/' part we would have to
move everything under a realm
The simplified URL would only be for that one use case
we need to
solve. Everything else would work the old way.
I'm just thinking that if there is something the user needs to memorize
then we should make it really, really easy to memorize.
>> On 1/23/2015 8:20 AM, Stian Thorgersen wrote:
>>> ----- Original Message -----
>>>> From: "Stan Silvert" <ssilvert(a)redhat.com>
>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>>> Cc: keycloak-dev(a)lists.jboss.org
>>>> Sent: Friday, January 23, 2015 2:10:00 PM
>>>> Subject: Re: [keycloak-dev] Shortening URLs
>>>>
>>>> On 1/23/2015 8:06 AM, Stian Thorgersen wrote:
>>>>> ----- Original Message -----
>>>>>> From: "Stan Silvert" <ssilvert(a)redhat.com>
>>>>>> To: keycloak-dev(a)lists.jboss.org
>>>>>> Sent: Friday, January 23, 2015 2:01:23 PM
>>>>>> Subject: Re: [keycloak-dev] Shortening URLs
>>>>>>
>>>>>> I like the idea of an option to bind the auth server to the root
>>>>>> context. I think that would be especially good for the
appliance
>>>>>> dist.
>>>>>>
>>>>>> But I'm not sure about the rest. What is the problem we are
solving?
>>>>> Shorter and easier to remember URLs ;)
>>>>>
>>>>> At least one the account will be something that users access
directly.
>>>> Which one is the URL that they will need to remember? Maybe we could
>>>> make an alias.
>>> Account is accessible by users directly:
>>> - http://localhost:8080/auth/realms/master/account
>>>
>>> BTW why not change it? If it can make things simpler for users. Devs that
>>> don't use our adapters, but use standard openid connect libs for
example,
>>> will need to figure out all urls and configure them in the lib their
>>> using.
>>>
>>>>>> On 1/23/2015 6:23 AM, Stian Thorgersen wrote:
>>>>>>> Our URLs are quite long, examples:
>>>>>>>
>>>>>>> *
>>>>>>>
http://localhost:8080/auth/realms/master/protocols/openid-connect/login
>>>>>>> * http://localhost:8080/auth/realms/master/account
>>>>>>>
>>>>>>> We could remove the 'realms' part and
'protocols' parts couldn't we?
>>>>>>>
>>>>>>> * http://localhost:8080/auth/master/oidc/login
>>>>>>> * http://localhost:8080/auth/master/account
>>>>>>>
>>>>>>> That would require moving everything under a realm and I
guess we'd
>>>>>>> need
>>>>>>> to
>>>>>>> hard-wire the protocols, but I think that should be fine.
>>>>>>>
>>>>>>> We also need to make sure we can just the root context:
>>>>>>>
>>>>>>> * http://localhost:8080/master/oidc/login
>>>>>>> * http://localhost:8080/master/account
>>>>>>>
>>>>>>> We can also introduce other mechanisms to select the realm.
For
>>>>>>> example a
>>>>>>> server with single realm can just omit it altogether:
>>>>>>>
>>>>>>> * http://localhost:8080/oidc/login
>>>>>>> * http://localhost:8080/account
>>>>>>>
>>>>>>> And we could allow setting what domains uses what realms:
>>>>>>>
>>>>>>> * http://keycloak-master/oidc/login
>>>>>>> * http://keycloak-other/oidc/login
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-dev mailing list
>>>>>>> keycloak-dev(a)lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev(a)lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
9:13 a.m.
----- Original Message -----
From: "Stan Silvert" <ssilvert(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Friday, January 23, 2015 3:06:44 PM
Subject: Re: [keycloak-dev] Shortening URLs
On 1/23/2015 8:52 AM, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Stan Silvert" <ssilvert(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Friday, January 23, 2015 2:47:20 PM
>> Subject: Re: [keycloak-dev] Shortening URLs
>>
>> On 1/23/2015 8:45 AM, Stan Silvert wrote:
>>> So if it's something the user needs to remember, let's make it
super
>>> easy:
>>>
>>> http://foo.com/stan
>>>
>>> Of course then we would need to either enforce that they only create one
>>> realm So for multiple realms we could make it:
>>>
>>> http://realm.foo.com/stan
>> I mean http://realmname.foo.com
> I don't think that'll work - if we drop '/realms/' part we would
have to
> move everything under a realm
The simplified URL would only be for that one use case we need to
solve. Everything else would work the old way.
I'm just thinking that if there is something the user needs to memorize
then we should make it really, really easy to memorize.
What I suggested in the first place makes everything much easier.
>
>>> On 1/23/2015 8:20 AM, Stian Thorgersen wrote:
>>>> ----- Original Message -----
>>>>> From: "Stan Silvert" <ssilvert(a)redhat.com>
>>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>>>> Cc: keycloak-dev(a)lists.jboss.org
>>>>> Sent: Friday, January 23, 2015 2:10:00 PM
>>>>> Subject: Re: [keycloak-dev] Shortening URLs
>>>>>
>>>>> On 1/23/2015 8:06 AM, Stian Thorgersen wrote:
>>>>>> ----- Original Message -----
>>>>>>> From: "Stan Silvert" <ssilvert(a)redhat.com>
>>>>>>> To: keycloak-dev(a)lists.jboss.org
>>>>>>> Sent: Friday, January 23, 2015 2:01:23 PM
>>>>>>> Subject: Re: [keycloak-dev] Shortening URLs
>>>>>>>
>>>>>>> I like the idea of an option to bind the auth server to the
root
>>>>>>> context. I think that would be especially good for the
appliance
>>>>>>> dist.
>>>>>>>
>>>>>>> But I'm not sure about the rest. What is the problem we
are solving?
>>>>>> Shorter and easier to remember URLs ;)
>>>>>>
>>>>>> At least one the account will be something that users access
directly.
>>>>> Which one is the URL that they will need to remember? Maybe we
could
>>>>> make an alias.
>>>> Account is accessible by users directly:
>>>> - http://localhost:8080/auth/realms/master/account
>>>>
>>>> BTW why not change it? If it can make things simpler for users. Devs
>>>> that
>>>> don't use our adapters, but use standard openid connect libs for
>>>> example,
>>>> will need to figure out all urls and configure them in the lib their
>>>> using.
>>>>
>>>>>>> On 1/23/2015 6:23 AM, Stian Thorgersen wrote:
>>>>>>>> Our URLs are quite long, examples:
>>>>>>>>
>>>>>>>> *
>>>>>>>>
http://localhost:8080/auth/realms/master/protocols/openid-connect/login
>>>>>>>> * http://localhost:8080/auth/realms/master/account
>>>>>>>>
>>>>>>>> We could remove the 'realms' part and
'protocols' parts couldn't we?
>>>>>>>>
>>>>>>>> * http://localhost:8080/auth/master/oidc/login
>>>>>>>> * http://localhost:8080/auth/master/account
>>>>>>>>
>>>>>>>> That would require moving everything under a realm and I
guess we'd
>>>>>>>> need
>>>>>>>> to
>>>>>>>> hard-wire the protocols, but I think that should be
fine.
>>>>>>>>
>>>>>>>> We also need to make sure we can just the root context:
>>>>>>>>
>>>>>>>> * http://localhost:8080/master/oidc/login
>>>>>>>> * http://localhost:8080/master/account
>>>>>>>>
>>>>>>>> We can also introduce other mechanisms to select the
realm. For
>>>>>>>> example a
>>>>>>>> server with single realm can just omit it altogether:
>>>>>>>>
>>>>>>>> * http://localhost:8080/oidc/login
>>>>>>>> * http://localhost:8080/account
>>>>>>>>
>>>>>>>> And we could allow setting what domains uses what
realms:
>>>>>>>>
>>>>>>>> * http://keycloak-master/oidc/login
>>>>>>>> * http://keycloak-other/oidc/login
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-dev mailing list
>>>>>>>> keycloak-dev(a)lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>> _______________________________________________
>>>>>>> keycloak-dev mailing list
>>>>>>> keycloak-dev(a)lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
9:36 a.m.
On 1/23/2015 6:23 AM, Stian Thorgersen wrote:
Our URLs are quite long, examples:
* http://localhost:8080/auth/realms/master/protocols/openid-connect/login
* http://localhost:8080/auth/realms/master/account
We could remove the 'realms' part and 'protocols' parts couldn't we?
* http://localhost:8080/auth/master/oidc/login
* http://localhost:8080/auth/master/account
That would require moving everything under a realm and I guess we'd need to hard-wire
the protocols, but I think that should be fine.
Wouldn't work for multiple reasons.
* protocols/* exists to be able to plugin different protocols (oidc,
saml, etc.)
* Because of the crappy way JAX-RS dispatch algorithm handles wildcards
for both resource classes and resource locators we need both a "realms"
and "protocols" qualifier.
Its really funny you bring this up now because I've renewed my argument
with JAX-RS JSR just 2 minutes ago! Synchronicity!
We also need to make sure we can just the root context:
* http://localhost:8080/master/oidc/login
* http://localhost:8080/master/account
We can also introduce other mechanisms to select the realm. For example a server with
single realm can just omit it altogether:
* http://localhost:8080/oidc/login
* http://localhost:8080/account
And we could allow setting what domains uses what realms:
* http://keycloak-master/oidc/login
* http://keycloak-other/oidc/login
You don't think its better to have URLS be consistent?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10:05 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/23/2015 12:23 PM, Stian Thorgersen wrote:
We also need to make sure we can just the root context:
* http://localhost:8080/master/oidc/login *
http://localhost:8080/master/account
Would this be the default? I'm asking because it would make it a bit
more difficult to use the same Wildfly instance with other projects,
like Hawkular/RHQ-Metrics, as they also try to deploy directly on the
root context.
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUwmNJAAoJECKM1e+fkPrXwbYH/1x1rPnKYytSovE/TCRb2Swi
AeDlgEhLR66i1+OiSpoQZvbwri3c4B/4x5l1AItk0DZ9+MZ/ZalFuhYj8BR1S4RA
bQOBZTepkyC3vwNE122yuJdzIFCjM7ZGsoy82hhzy5NjoRHjbUsOZp9V0obqjt4f
EfCRUjnlPOGbLCo88KBvrE2vFthEzrA2kk7oN2JcV6PLmLwIC+j18ix2qdHUCnLf
u7PggnrHGHqd261gb+0LTZWXZIdYc6VuXzOykfPzWZYgzp6A1L7nHEeK3XHRT696
gFob5VRg5SOUJeezQ4wgR2WmOK/oQVYKDpCT+M5Mj+fBq5mOGnCYpg49v3vRxWA=
=LSaR
-----END PGP SIGNATURE-----
10:14 a.m.
----- Original Message -----
From: "Juraci Paixão Kröhling"
<jpkroehling(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, January 23, 2015 4:05:45 PM
Subject: Re: [keycloak-dev] Shortening URLs
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/23/2015 12:23 PM, Stian Thorgersen wrote:
> We also need to make sure we can just the root context:
>
> * http://localhost:8080/master/oidc/login *
> http://localhost:8080/master/account
Would this be the default? I'm asking because it would make it a bit
more difficult to use the same Wildfly instance with other projects,
like Hawkular/RHQ-Metrics, as they also try to deploy directly on the
root context.
No, the default would be /auth and that would be where we'd recommend all projects
that bundle Keycloak to have it as well
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUwmNJAAoJECKM1e+fkPrXwbYH/1x1rPnKYytSovE/TCRb2Swi
AeDlgEhLR66i1+OiSpoQZvbwri3c4B/4x5l1AItk0DZ9+MZ/ZalFuhYj8BR1S4RA
bQOBZTepkyC3vwNE122yuJdzIFCjM7ZGsoy82hhzy5NjoRHjbUsOZp9V0obqjt4f
EfCRUjnlPOGbLCo88KBvrE2vFthEzrA2kk7oN2JcV6PLmLwIC+j18ix2qdHUCnLf
u7PggnrHGHqd261gb+0LTZWXZIdYc6VuXzOykfPzWZYgzp6A1L7nHEeK3XHRT696
gFob5VRg5SOUJeezQ4wgR2WmOK/oQVYKDpCT+M5Mj+fBq5mOGnCYpg49v3vRxWA=
=LSaR
-----END PGP SIGNATURE-----
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
10:14 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/23/2015 04:14 PM, Stian Thorgersen wrote:
> No, the default would be /auth and that would be where we'd
> recommend all projects that bundle Keycloak to have it as well
Perfect, thanks :-)
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUwmVwAAoJECKM1e+fkPrXgvMH/1hGgf8VzbthPVHObqdiAIIt
9InZ8aZ2O25fQRctNmjqiCDO9OJ5fEoS8my3+VS+Ot/Wgqn8hXcdw6ZwEAXVvz/H
tPcOCW28TUncyZa+oA8zazeK20z2wCXt3T8a9QJWNC0vcHsAr32DWVhjYTze1BrW
18/PFgmyZXHO2Fn5fNnDdGMjlMWMkWDPZOVSjYgkyMPV+OI583QDG3Icn2GJESWz
QYbVg9zDdfQtRQ1Ki+lzSxcmep3G5cU2nSRh6H0UZ2BvuqpUPob4/6NipOpfiun9
FYHZO0KVce/YjGeZbWUnz/zCLbTLDpWdyqqo0LnOYB57IBEaB1SO11FIKu+T4rE=
=Ep0R
-----END PGP SIGNATURE-----
10:15 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, January 23, 2015 3:36:09 PM
Subject: Re: [keycloak-dev] Shortening URLs
On 1/23/2015 6:23 AM, Stian Thorgersen wrote:
> Our URLs are quite long, examples:
>
> * http://localhost:8080/auth/realms/master/protocols/openid-connect/login
> * http://localhost:8080/auth/realms/master/account
>
> We could remove the 'realms' part and 'protocols' parts couldn't
we?
>
> * http://localhost:8080/auth/master/oidc/login
> * http://localhost:8080/auth/master/account
>
> That would require moving everything under a realm and I guess we'd need to
> hard-wire the protocols, but I think that should be fine.
>
Wouldn't work for multiple reasons.
* protocols/* exists to be able to plugin different protocols (oidc,
saml, etc.)
Yes, but couldn't we just hard-code it?
* Because of the crappy way JAX-RS dispatch algorithm handles
wildcards
for both resource classes and resource locators we need both a "realms"
and "protocols" qualifier.
Even if we moved all other paths under /auth/?
Its really funny you bring this up now because I've renewed my argument
with JAX-RS JSR just 2 minutes ago! Synchronicity!
> We also need to make sure we can just the root context:
>
> * http://localhost:8080/master/oidc/login
> * http://localhost:8080/master/account
>
> We can also introduce other mechanisms to select the realm. For example a
> server with single realm can just omit it altogether:
>
> * http://localhost:8080/oidc/login
> * http://localhost:8080/account
>
> And we could allow setting what domains uses what realms:
>
> * http://keycloak-master/oidc/login
> * http://keycloak-other/oidc/login
>
You don't think its better to have URLS be consistent?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
10:28 a.m.
On 1/23/2015 10:15 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Friday, January 23, 2015 3:36:09 PM
> Subject: Re: [keycloak-dev] Shortening URLs
>
>
>
> On 1/23/2015 6:23 AM, Stian Thorgersen wrote:
>> Our URLs are quite long, examples:
>>
>> * http://localhost:8080/auth/realms/master/protocols/openid-connect/login
>> * http://localhost:8080/auth/realms/master/account
>>
>> We could remove the 'realms' part and 'protocols' parts
couldn't we?
>>
>> * http://localhost:8080/auth/master/oidc/login
>> * http://localhost:8080/auth/master/account
>>
>> That would require moving everything under a realm and I guess we'd need to
>> hard-wire the protocols, but I think that should be fine.
>>
>
> Wouldn't work for multiple reasons.
>
> * protocols/* exists to be able to plugin different protocols (oidc,
> saml, etc.)
Yes, but couldn't we just hard-code it?
Go look at the code. It is implemented to support pluggable protocols.
You want to remove that capability just to shorted the URL?
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10:28 a.m.
On 1/23/2015 9:36 AM, Bill Burke wrote:
On 1/23/2015 6:23 AM, Stian Thorgersen wrote:
> Our URLs are quite long, examples:
>
> * http://localhost:8080/auth/realms/master/protocols/openid-connect/login
> * http://localhost:8080/auth/realms/master/account
>
> We could remove the 'realms' part and 'protocols' parts couldn't
we?
>
> * http://localhost:8080/auth/master/oidc/login
> * http://localhost:8080/auth/master/account
>
> That would require moving everything under a realm and I guess we'd need to
hard-wire the protocols, but I think that should be fine.
>
Wouldn't work for multiple reasons.
* protocols/* exists to be able to plugin different protocols (oidc,
saml, etc.)
* Because of the crappy way JAX-RS dispatch algorithm handles wildcards
for both resource classes and resource locators we need both a "realms"
and "protocols" qualifier.
Its really funny you bring this up now because I've renewed my argument
with JAX-RS JSR just 2 minutes ago! Synchronicity!
Bah! Scratch that...I think we might be able to remove "realms" so long
as we don't add any other root context wildcard resource classes. Using
a wildcard only for "protocols" might paint us in a corner as there may
be other wildcard resources we want to add in the future.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
1 p.m.
We can't remove "realms" qualifier unless the admin REST interface is
exposed under an entirely different WAR root context.
On 1/23/2015 10:28 AM, Bill Burke wrote:
On 1/23/2015 9:36 AM, Bill Burke wrote:
>
>
> On 1/23/2015 6:23 AM, Stian Thorgersen wrote:
>> Our URLs are quite long, examples:
>>
>> * http://localhost:8080/auth/realms/master/protocols/openid-connect/login
>> * http://localhost:8080/auth/realms/master/account
>>
>> We could remove the 'realms' part and 'protocols' parts
couldn't we?
>>
>> * http://localhost:8080/auth/master/oidc/login
>> * http://localhost:8080/auth/master/account
>>
>> That would require moving everything under a realm and I guess we'd need to
hard-wire the protocols, but I think that should be fine.
>>
>
> Wouldn't work for multiple reasons.
>
> * protocols/* exists to be able to plugin different protocols (oidc,
> saml, etc.)
> * Because of the crappy way JAX-RS dispatch algorithm handles wildcards
> for both resource classes and resource locators we need both a "realms"
> and "protocols" qualifier.
>
> Its really funny you bring this up now because I've renewed my argument
> with JAX-RS JSR just 2 minutes ago! Synchronicity!
>
Bah! Scratch that...I think we might be able to remove "realms" so long
as we don't add any other root context wildcard resource classes. Using
a wildcard only for "protocols" might paint us in a corner as there may
be other wildcard resources we want to add in the future.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3:51 a.m.
The main issue to address are shorter URL for services directly
accessible by users, which is account mgmt and admin console, right? How
about introduce aliases and add cookie scoped to '/auth' context, which
will handle the name of the realm user is logged in?
Some details:
* User will log into realm "foo" . Keycloak will add KEYCLOAK_REALM
cookie with content "foo" scoped to path "/auth" (or whatever context
is
auth-server deployed on)
* User goes to "/auth/account" . Keycloak will read cookie and redirect
user to "/auth/realms/foo/account"
* User goes to "/auth/admin" . Keycloak will read cookie and redirect
user to "/auth/admin/foo/console"
* If user's browser is logged into 2 realms, Keycloak can display the UI
page with radio buttons where user can choose his realm (Something like
Google is doing for choosing your account)
* If user is not logged into any realm, Keycloak can display list of all
realms and user can choose? Or directly redirect user if there is just
one realm available.
Maybe the behaviour could be somehow pluggable, so people can use
virtual hosts instead of cookie and access to
"http://foo.keycloak.org/auth/account" will use realm "foo" etc?
Marek
On 23.1.2015 19:00, Bill Burke wrote:
We can't remove "realms" qualifier unless the admin
REST interface is
exposed under an entirely different WAR root context.
On 1/23/2015 10:28 AM, Bill Burke wrote:
>
> On 1/23/2015 9:36 AM, Bill Burke wrote:
>>
>> On 1/23/2015 6:23 AM, Stian Thorgersen wrote:
>>> Our URLs are quite long, examples:
>>>
>>> * http://localhost:8080/auth/realms/master/protocols/openid-connect/login
>>> * http://localhost:8080/auth/realms/master/account
>>>
>>> We could remove the 'realms' part and 'protocols' parts
couldn't we?
>>>
>>> * http://localhost:8080/auth/master/oidc/login
>>> * http://localhost:8080/auth/master/account
>>>
>>> That would require moving everything under a realm and I guess we'd need
to hard-wire the protocols, but I think that should be fine.
>>>
>> Wouldn't work for multiple reasons.
>>
>> * protocols/* exists to be able to plugin different protocols (oidc,
>> saml, etc.)
>> * Because of the crappy way JAX-RS dispatch algorithm handles wildcards
>> for both resource classes and resource locators we need both a
"realms"
>> and "protocols" qualifier.
>>
>> Its really funny you bring this up now because I've renewed my argument
>> with JAX-RS JSR just 2 minutes ago! Synchronicity!
>>
> Bah! Scratch that...I think we might be able to remove "realms" so long
> as we don't add any other root context wildcard resource classes. Using
> a wildcard only for "protocols" might paint us in a corner as there may
> be other wildcard resources we want to add in the future.
>
4:04 a.m.
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Bill Burke" <bburke(a)redhat.com>, keycloak-dev(a)lists.jboss.org
Sent: Monday, January 26, 2015 9:51:24 AM
Subject: Re: [keycloak-dev] Shortening URLs
The main issue to address are shorter URL for services directly
accessible by users, which is account mgmt and admin console, right? How
about introduce aliases and add cookie scoped to '/auth' context, which
will handle the name of the realm user is logged in?
Some details:
* User will log into realm "foo" . Keycloak will add KEYCLOAK_REALM
cookie with content "foo" scoped to path "/auth" (or whatever context
is
auth-server deployed on)
* User goes to "/auth/account" . Keycloak will read cookie and redirect
user to "/auth/realms/foo/account"
* User goes to "/auth/admin" . Keycloak will read cookie and redirect
user to "/auth/admin/foo/console"
* If user's browser is logged into 2 realms, Keycloak can display the UI
page with radio buttons where user can choose his realm (Something like
Google is doing for choosing your account)
* If user is not logged into any realm, Keycloak can display list of all
realms and user can choose? Or directly redirect user if there is just
one realm available.
I don't like that. It will be common for a user that goes directly to
'account' to not be logged-in and the user would have no clue of what realm to
select.
Also, how would that work if user logs in to multiple realms?
It's also very much against the whole resign of URLs to have dynamic URLs in such a
way.
Maybe the behaviour could be somehow pluggable, so people can use
virtual hosts instead of cookie and access to
"http://foo.keycloak.org/auth/account" will use realm "foo" etc?
Marek
On 23.1.2015 19:00, Bill Burke wrote:
> We can't remove "realms" qualifier unless the admin REST interface is
> exposed under an entirely different WAR root context.
>
>
>
>
> On 1/23/2015 10:28 AM, Bill Burke wrote:
>>
>> On 1/23/2015 9:36 AM, Bill Burke wrote:
>>>
>>> On 1/23/2015 6:23 AM, Stian Thorgersen wrote:
>>>> Our URLs are quite long, examples:
>>>>
>>>> *
>>>> http://localhost:8080/auth/realms/master/protocols/openid-connect/login
>>>> * http://localhost:8080/auth/realms/master/account
>>>>
>>>> We could remove the 'realms' part and 'protocols' parts
couldn't we?
>>>>
>>>> * http://localhost:8080/auth/master/oidc/login
>>>> * http://localhost:8080/auth/master/account
>>>>
>>>> That would require moving everything under a realm and I guess we'd
need
>>>> to hard-wire the protocols, but I think that should be fine.
>>>>
>>> Wouldn't work for multiple reasons.
>>>
>>> * protocols/* exists to be able to plugin different protocols (oidc,
>>> saml, etc.)
>>> * Because of the crappy way JAX-RS dispatch algorithm handles wildcards
>>> for both resource classes and resource locators we need both a
"realms"
>>> and "protocols" qualifier.
>>>
>>> Its really funny you bring this up now because I've renewed my argument
>>> with JAX-RS JSR just 2 minutes ago! Synchronicity!
>>>
>> Bah! Scratch that...I think we might be able to remove "realms" so
long
>> as we don't add any other root context wildcard resource classes. Using
>> a wildcard only for "protocols" might paint us in a corner as there
may
>> be other wildcard resources we want to add in the future.
>>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
4:45 a.m.
On 26.1.2015 10:04, Stian Thorgersen wrote:
----- Original Message -----
> From: "Marek Posolda" <mposolda(a)redhat.com>
> To: "Bill Burke" <bburke(a)redhat.com>, keycloak-dev(a)lists.jboss.org
> Sent: Monday, January 26, 2015 9:51:24 AM
> Subject: Re: [keycloak-dev] Shortening URLs
>
> The main issue to address are shorter URL for services directly
> accessible by users, which is account mgmt and admin console, right? How
> about introduce aliases and add cookie scoped to '/auth' context, which
> will handle the name of the realm user is logged in?
>
> Some details:
>
> * User will log into realm "foo" . Keycloak will add KEYCLOAK_REALM
> cookie with content "foo" scoped to path "/auth" (or whatever
context is
> auth-server deployed on)
>
> * User goes to "/auth/account" . Keycloak will read cookie and redirect
> user to "/auth/realms/foo/account"
>
> * User goes to "/auth/admin" . Keycloak will read cookie and redirect
> user to "/auth/admin/foo/console"
>
> * If user's browser is logged into 2 realms, Keycloak can display the UI
> page with radio buttons where user can choose his realm (Something like
> Google is doing for choosing your account)
>
> * If user is not logged into any realm, Keycloak can display list of all
> realms and user can choose? Or directly redirect user if there is just
> one realm available.
I don't like that. It will be common for a user that goes directly to
'account' to not be logged-in and the user would have no clue of what realm to
select.
Also, how would that work if user logs in to multiple realms?
Also allow him to
choose from UI as I mentioned above (paragraph with
4th star)
It's also very much against the whole resign of URLs to have dynamic URLs in such a
way.
Maybe, I am not sure. Cookie could be one alternative and another could
be virtual hosts. We can maybe have possibility for admins to specify
"redirection policies" so admin can easily specify that access to
"http://foo.keycloak.org/auth/account" would redirect users to
"http://keycloak.org/auth/realms/foo/account" .
Admins can already put keycloak behind Apache, which provides
possibilities to handle redirection based on various rules. I am just
wondering if we should put something into Keycloak itself without need
to rewrite our existing urls and give up on pluggable protocols etc.
Marek
>
> Maybe the behaviour could be somehow pluggable, so people can use
> virtual hosts instead of cookie and access to
> "http://foo.keycloak.org/auth/account" will use realm "foo" etc?
>
> Marek
>
> On 23.1.2015 19:00, Bill Burke wrote:
>> We can't remove "realms" qualifier unless the admin REST interface
is
>> exposed under an entirely different WAR root context.
>>
>>
>>
>>
>> On 1/23/2015 10:28 AM, Bill Burke wrote:
>>> On 1/23/2015 9:36 AM, Bill Burke wrote:
>>>> On 1/23/2015 6:23 AM, Stian Thorgersen wrote:
>>>>> Our URLs are quite long, examples:
>>>>>
>>>>> *
>>>>>
http://localhost:8080/auth/realms/master/protocols/openid-connect/login
>>>>> * http://localhost:8080/auth/realms/master/account
>>>>>
>>>>> We could remove the 'realms' part and 'protocols'
parts couldn't we?
>>>>>
>>>>> * http://localhost:8080/auth/master/oidc/login
>>>>> * http://localhost:8080/auth/master/account
>>>>>
>>>>> That would require moving everything under a realm and I guess
we'd need
>>>>> to hard-wire the protocols, but I think that should be fine.
>>>>>
>>>> Wouldn't work for multiple reasons.
>>>>
>>>> * protocols/* exists to be able to plugin different protocols (oidc,
>>>> saml, etc.)
>>>> * Because of the crappy way JAX-RS dispatch algorithm handles wildcards
>>>> for both resource classes and resource locators we need both a
"realms"
>>>> and "protocols" qualifier.
>>>>
>>>> Its really funny you bring this up now because I've renewed my
argument
>>>> with JAX-RS JSR just 2 minutes ago! Synchronicity!
>>>>
>>> Bah! Scratch that...I think we might be able to remove "realms" so
long
>>> as we don't add any other root context wildcard resource classes. Using
>>> a wildcard only for "protocols" might paint us in a corner as there
may
>>> be other wildcard resources we want to add in the future.
>>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
5:08 a.m.
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: "Bill Burke" <bburke(a)redhat.com>, keycloak-dev(a)lists.jboss.org
Sent: Monday, January 26, 2015 10:45:03 AM
Subject: Re: [keycloak-dev] Shortening URLs
On 26.1.2015 10:04, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Marek Posolda" <mposolda(a)redhat.com>
>> To: "Bill Burke" <bburke(a)redhat.com>,
keycloak-dev(a)lists.jboss.org
>> Sent: Monday, January 26, 2015 9:51:24 AM
>> Subject: Re: [keycloak-dev] Shortening URLs
>>
>> The main issue to address are shorter URL for services directly
>> accessible by users, which is account mgmt and admin console, right? How
>> about introduce aliases and add cookie scoped to '/auth' context, which
>> will handle the name of the realm user is logged in?
>>
>> Some details:
>>
>> * User will log into realm "foo" . Keycloak will add KEYCLOAK_REALM
>> cookie with content "foo" scoped to path "/auth" (or
whatever context is
>> auth-server deployed on)
>>
>> * User goes to "/auth/account" . Keycloak will read cookie and
redirect
>> user to "/auth/realms/foo/account"
>>
>> * User goes to "/auth/admin" . Keycloak will read cookie and redirect
>> user to "/auth/admin/foo/console"
>>
>> * If user's browser is logged into 2 realms, Keycloak can display the UI
>> page with radio buttons where user can choose his realm (Something like
>> Google is doing for choosing your account)
>>
>> * If user is not logged into any realm, Keycloak can display list of all
>> realms and user can choose? Or directly redirect user if there is just
>> one realm available.
> I don't like that. It will be common for a user that goes directly to
> 'account' to not be logged-in and the user would have no clue of what
> realm to select.
>
> Also, how would that work if user logs in to multiple realms?
Also allow him to choose from UI as I mentioned above (paragraph with
4th star)
What if user is logged-in to one realm, but was expecting account for another? Besides, my
other point still stands I don't expect a user to have any clue what a realm is.
>
> It's also very much against the whole resign of URLs to have dynamic URLs
> in such a way.
Maybe, I am not sure. Cookie could be one alternative and another could
be virtual hosts. We can maybe have possibility for admins to specify
"redirection policies" so admin can easily specify that access to
"http://foo.keycloak.org/auth/account" would redirect users to
"http://keycloak.org/auth/realms/foo/account" .
Admins can already put keycloak behind Apache, which provides
possibilities to handle redirection based on various rules. I am just
wondering if we should put something into Keycloak itself without need
to rewrite our existing urls and give up on pluggable protocols etc.
A fixed alias is a better suggestion than a cookie. I really don't think it's a
good idea to have a URL that redirects depending on the value of a cookie.
Still, a fixed alias seems a bit like a work-around than an actual fix
Marek
>
>>
>> Maybe the behaviour could be somehow pluggable, so people can use
>> virtual hosts instead of cookie and access to
>> "http://foo.keycloak.org/auth/account" will use realm "foo"
etc?
>>
>> Marek
>>
>> On 23.1.2015 19:00, Bill Burke wrote:
>>> We can't remove "realms" qualifier unless the admin REST
interface is
>>> exposed under an entirely different WAR root context.
>>>
>>>
>>>
>>>
>>> On 1/23/2015 10:28 AM, Bill Burke wrote:
>>>> On 1/23/2015 9:36 AM, Bill Burke wrote:
>>>>> On 1/23/2015 6:23 AM, Stian Thorgersen wrote:
>>>>>> Our URLs are quite long, examples:
>>>>>>
>>>>>> *
>>>>>>
http://localhost:8080/auth/realms/master/protocols/openid-connect/login
>>>>>> * http://localhost:8080/auth/realms/master/account
>>>>>>
>>>>>> We could remove the 'realms' part and
'protocols' parts couldn't we?
>>>>>>
>>>>>> * http://localhost:8080/auth/master/oidc/login
>>>>>> * http://localhost:8080/auth/master/account
>>>>>>
>>>>>> That would require moving everything under a realm and I guess
we'd
>>>>>> need
>>>>>> to hard-wire the protocols, but I think that should be fine.
>>>>>>
>>>>> Wouldn't work for multiple reasons.
>>>>>
>>>>> * protocols/* exists to be able to plugin different protocols
(oidc,
>>>>> saml, etc.)
>>>>> * Because of the crappy way JAX-RS dispatch algorithm handles
wildcards
>>>>> for both resource classes and resource locators we need both a
"realms"
>>>>> and "protocols" qualifier.
>>>>>
>>>>> Its really funny you bring this up now because I've renewed my
argument
>>>>> with JAX-RS JSR just 2 minutes ago! Synchronicity!
>>>>>
>>>> Bah! Scratch that...I think we might be able to remove
"realms" so long
>>>> as we don't add any other root context wildcard resource classes.
Using
>>>> a wildcard only for "protocols" might paint us in a corner as
there may
>>>> be other wildcard resources we want to add in the future.
>>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
3382
days inactive
3385
days old
27 comments
6 participants
participants (6)
-
Bill Burke -
Juraci Paixão Kröhling -
Marek Posolda -
Pedro Igor Silva -
Stan Silvert -
Stian Thorgersen