In general there is an issue with realm representations often being
bloated, especially with authentication flows. This issue should be solved
on the Keycloak server (at least long term). Short term the simplest would
just be to include the full authentication flow definition in the realm
representation. Long term the realm representations should be improved both
in terms of import and export. Export should only include values that have
changed from the defaults and not all values. Import should allow setting
only what you want to change and not everything, with regards to auth flows
it should be possible to set config of the default flow, without having to
specify the default flow itself.
On Sat, 2 Nov 2019 at 16:07, Sebastian Laskawiec <slaskawi(a)redhat.com>
Peter is currently working on setting the "defaultProvider" configuration
parameter in the "identity-provider-redirector". The old Operator used this
functionality here  and Peter wanted to port it to the new Operator.
@Peter - if I may ask you - could you please describe the use case this is
being used in?
During our initial conversation, we agreed that we want to setup all Realm
bits in a single REST call. In other words - Keycloak Realm CR should match
exported realm JSON format. However, modifying existing browser flow hardly
first into this scenario. It would require sending a JSON with full list of
"authenticationFlows" as well as a full list of
objects (as Config is matched with an authentication flow using an id).
I experimented with an exported Realm and here's what I have . As you
probably noticed - it's enormous and very fragile (as it contains many,
many options I have to set upfront).
Do you have any idea how to solve this? I have three options in my head:
1) Use a second REST call (after creating a Realm) and modify the
"authenticatorConfig". In other words - do everything exactly the same way
the old Operator did
I don't like this at all as it is a pandora's box.
2) Force users to embed the full Realm configuration every time they
create a Realm.
I would go for this option for now, as it will probably be quite a bit of
effort to do it properly, as that requires somehow to specify some config
overrides for the default authn flows on import.
3) Create some sort of profiles in Keycloak. This way, when an
uses proper profile, we set the "defaultProvider" to proper value
I don't really understand what you are proposing in option 3.