10:06 a.m.
Hey guys,
Peter is currently working on setting the "defaultProvider" configuration
parameter in the "identity-provider-redirector". The old Operator used this
functionality here [1] and Peter wanted to port it to the new Operator.
@Peter - if I may ask you - could you please describe the use case this is
being used in?
During our initial conversation, we agreed that we want to setup all Realm
bits in a single REST call. In other words - Keycloak Realm CR should match
exported realm JSON format. However, modifying existing browser flow hardly
first into this scenario. It would require sending a JSON with full list of
"authenticationFlows" as well as a full list of "authenticatorConfig"
objects (as Config is matched with an authentication flow using an id).
I experimented with an exported Realm and here's what I have [2]. As you
probably noticed - it's enormous and very fragile (as it contains many,
many options I have to set upfront).
Do you have any idea how to solve this? I have three options in my head:
1) Use a second REST call (after creating a Realm) and modify the
"authenticatorConfig". In other words - do everything exactly the same way
the old Operator did
2) Force users to embed the full Realm configuration every time they create
a Realm.
3) Create some sort of profiles in Keycloak. This way, when an Operator
uses proper profile, we set the "defaultProvider" to proper value
out-of-the-box.
Thanks,
Sebastian
[1]
https://github.com/integr8ly/keycloak-operator/blob/d97ee5de8c2b227d684ad...
[2]
https://gist.github.com/slaskawi/79847124a268b94c8391e01f13b21409#file-ke...
2:44 a.m.
Hey,
we are using this feature in RHMI to configure the browser authentication
flow for the user facing RHSSO instance (the one that customers can use in
their own projects as opposed to the cluster wide SSO for middleware
services).
The options were to make the required REST calls in our installer or add
this convenience feature to the operator and we decided for the latter.
As to how it should work in the future, my thoughts are: Option 3 would be
ideal while 1 seems acceptable. Option 2 is not really acceptable because
the JSON required is very cumbersome and would require us to include Id's
which is not something an end user should do.
Regards,
Peter
On Sat, Nov 2, 2019 at 4:07 PM Sebastian Laskawiec <slaskawi(a)redhat.com>
wrote:
Hey guys,
Peter is currently working on setting the "defaultProvider" configuration
parameter in the "identity-provider-redirector". The old Operator used this
functionality here [1] and Peter wanted to port it to the new Operator.
@Peter - if I may ask you - could you please describe the use case this is
being used in?
During our initial conversation, we agreed that we want to setup all Realm
bits in a single REST call. In other words - Keycloak Realm CR should match
exported realm JSON format. However, modifying existing browser flow hardly
first into this scenario. It would require sending a JSON with full list of
"authenticationFlows" as well as a full list of
"authenticatorConfig"
objects (as Config is matched with an authentication flow using an id).
I experimented with an exported Realm and here's what I have [2]. As you
probably noticed - it's enormous and very fragile (as it contains many,
many options I have to set upfront).
Do you have any idea how to solve this? I have three options in my head:
1) Use a second REST call (after creating a Realm) and modify the
"authenticatorConfig". In other words - do everything exactly the same way
the old Operator did
2) Force users to embed the full Realm configuration every time they
create a Realm.
3) Create some sort of profiles in Keycloak. This way, when an Operator
uses proper profile, we set the "defaultProvider" to proper value
out-of-the-box.
Thanks,
Sebastian
[1]
https://github.com/integr8ly/keycloak-operator/blob/d97ee5de8c2b227d684ad...
[2]
https://gist.github.com/slaskawi/79847124a268b94c8391e01f13b21409#file-ke...
3:32 a.m.
In general there is an issue with realm representations often being
bloated, especially with authentication flows. This issue should be solved
on the Keycloak server (at least long term). Short term the simplest would
just be to include the full authentication flow definition in the realm
representation. Long term the realm representations should be improved both
in terms of import and export. Export should only include values that have
changed from the defaults and not all values. Import should allow setting
only what you want to change and not everything, with regards to auth flows
it should be possible to set config of the default flow, without having to
specify the default flow itself.
On Sat, 2 Nov 2019 at 16:07, Sebastian Laskawiec <slaskawi(a)redhat.com>
wrote:
Hey guys,
Peter is currently working on setting the "defaultProvider" configuration
parameter in the "identity-provider-redirector". The old Operator used this
functionality here [1] and Peter wanted to port it to the new Operator.
@Peter - if I may ask you - could you please describe the use case this is
being used in?
During our initial conversation, we agreed that we want to setup all Realm
bits in a single REST call. In other words - Keycloak Realm CR should match
exported realm JSON format. However, modifying existing browser flow hardly
first into this scenario. It would require sending a JSON with full list of
"authenticationFlows" as well as a full list of
"authenticatorConfig"
objects (as Config is matched with an authentication flow using an id).
I experimented with an exported Realm and here's what I have [2]. As you
probably noticed - it's enormous and very fragile (as it contains many,
many options I have to set upfront).
Do you have any idea how to solve this? I have three options in my head:
1) Use a second REST call (after creating a Realm) and modify the
"authenticatorConfig". In other words - do everything exactly the same way
the old Operator did
I don't like this at all as it is a pandora's box.
2) Force users to embed the full Realm configuration every time they
create a Realm.
I would go for this option for now, as it will probably be quite a bit of
effort to do it properly, as that requires somehow to specify some config
overrides for the default authn flows on import.
3) Create some sort of profiles in Keycloak. This way, when an
Operator
uses proper profile, we set the "defaultProvider" to proper value
out-of-the-box.
I don't really understand what you are proposing in option 3.
6:16 a.m.
After discussing this with Stian we decided on the following:
we will support configuring the browser redirection flow via the Realm CR
but make it obvious that it is not part of the realm specification. Instead
we will add an extra property to the CR which allows a number of overrides:
spec:
...
realmOverrides:
- redirectorIdentityProvider: 'openshift-v4'
forFlow: 'browser'
No other overrides will be supported and as soon as the Keycloak API
supports updates to flows, the overrides will be deprecated.
1649
days inactive
1651
days old
3 comments
3 participants
participants (3)
-
Peter Braun -
Sebastian Laskawiec -
Stian Thorgersen