We need to add a generic provider config mechanism. It should be possible to configure providers at two levels: * Server - through keycloak-server.json * Realm - through RealmProvider With regards to server we already have this. It requires editing the keycloak-server.json and restarting the server. IMO that's fine for now, and we can consider adding support for doing this at runtime through the admin console in the future. For realm config (which would be needed for ldap) I propose that we add a ProviderConfigModel to RealmProvider. The ProviderConfigModel consists of: * RealmModel realm * String spi * String provider * Map<String, String> config We need to add an admin endpoints to add/update provider configs as well as making it possible to edit these through the admin console. We should add a method to the provider factory: * List<ConfigOption> getConfigOptions - this will return the configuration options the provider can support ConfigOption will include (we could also add support for validation): * String key * String label On the admin console I propose we add a Provider config page. The page will list out all available SPIs, once you select an SPI it will list out all available providers. You can then click on individual providers to get a form to edit the provider config. The form will use the getConfigOptions to know what labels/input fields to add. Further, we need to make some changes to KeycloakSession/ProviderFactory to support realm config. We could change ProviderFactory.create(KeycloakSession session) to ProviderFactory.create(KeycloakSession session, String realmId, Config.Scope realmConfig). This allows a provider to either share resources (i.e. connections) with multiple realms, or if it wants different connections per-realm it can handle that internally (for example in a map using realmId as the key). _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

From: "Stian Thorgersen" <stian(a)redhat.com&gt; To: "Bill Burke" <bburke(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Tuesday, 22 July, 2014 2:08:20 PM Subject: Re: [keycloak-dev] Provider config ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: keycloak-dev(a)lists.jboss.org > Sent: Tuesday, 22 July, 2014 2:04:56 PM > Subject: Re: [keycloak-dev] Provider config > > Can you keep the KeycloakSesion/Provider SPIs backward compatible while > you do this? Do we need to? If we do it'll need some more thinking ;) > > On 7/22/2014 5:56 AM, Stian Thorgersen wrote: > > We need to add a generic provider config mechanism. It should be possible > > to configure providers at two levels: > > > > * Server - through keycloak-server.json > > * Realm - through RealmProvider > > > > With regards to server we already have this. It requires editing the > > keycloak-server.json and restarting the server. IMO that's fine for now, > > and we can consider adding support for doing this at runtime through the > > admin console in the future. > > > > For realm config (which would be needed for ldap) I propose that we add a > > ProviderConfigModel to RealmProvider. The ProviderConfigModel consists > > of: > > > > * RealmModel realm > > * String spi > > * String provider > > * Map<String, String> config > > > > We need to add an admin endpoints to add/update provider configs as well > > as > > making it possible to edit these through the admin console. We should add > > a method to the provider factory: > > > > * List<ConfigOption> getConfigOptions - this will return the > > configuration > > options the provider can support > > > > ConfigOption will include (we could also add support for validation): > > > > * String key > > * String label > > > > On the admin console I propose we add a Provider config page. The page > > will > > list out all available SPIs, once you select an SPI it will list out all > > available providers. You can then click on individual providers to get a > > form to edit the provider config. The form will use the getConfigOptions > > to know what labels/input fields to add. > > > > Further, we need to make some changes to KeycloakSession/ProviderFactory > > to > > support realm config. We could change > > ProviderFactory.create(KeycloakSession session) to > > ProviderFactory.create(KeycloakSession session, String realmId, > > Config.Scope realmConfig). This allows a provider to either share > > resources (i.e. connections) with multiple realms, or if it wants > > different connections per-realm it can handle that internally (for > > example > > in a map using realmId as the key). > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Tuesday, 22 July, 2014 2:43:11 PM Subject: Re: [keycloak-dev] Provider config Certain providers may have multiple instances/configs of themselves in the same realm. i.e. authentication providers (soon to be federation providers) which may be federating multiple different LDAP databases. Also, in the future, social may turn into a "federated broker SPI" where multiple generic federated broker providers can be configured per realm (i.e. SAML or other openid connections).

I honestly don't want a generic "provider" admin console page where you generically configure the providers. I think it is a mistake. We're supposed to be making things easier and we should be making tailored console pages for what we ship out of the box.

On 7/22/2014 9:16 AM, Stian Thorgersen wrote: > Maybe it'll make sense to have two types of providers? Server-scoped and > realm-scoped. > > ----- Original Message ----- >> From: "Stian Thorgersen" <stian(a)redhat.com&gt; >> To: "Bill Burke" <bburke(a)redhat.com&gt; >> Cc: keycloak-dev(a)lists.jboss.org >> Sent: Tuesday, 22 July, 2014 2:08:20 PM >> Subject: Re: [keycloak-dev] Provider config >> >> >> >> ----- Original Message ----- >>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>> To: keycloak-dev(a)lists.jboss.org >>> Sent: Tuesday, 22 July, 2014 2:04:56 PM >>> Subject: Re: [keycloak-dev] Provider config >>> >>> Can you keep the KeycloakSesion/Provider SPIs backward compatible while >>> you do this? >> >> Do we need to? If we do it'll need some more thinking ;) >> >>> >>> On 7/22/2014 5:56 AM, Stian Thorgersen wrote: >>>> We need to add a generic provider config mechanism. It should be >>>> possible >>>> to configure providers at two levels: >>>> >>>> * Server - through keycloak-server.json >>>> * Realm - through RealmProvider >>>> >>>> With regards to server we already have this. It requires editing the >>>> keycloak-server.json and restarting the server. IMO that's fine for now, >>>> and we can consider adding support for doing this at runtime through the >>>> admin console in the future. >>>> >>>> For realm config (which would be needed for ldap) I propose that we add >>>> a >>>> ProviderConfigModel to RealmProvider. The ProviderConfigModel consists >>>> of: >>>> >>>> * RealmModel realm >>>> * String spi >>>> * String provider >>>> * Map<String, String> config >>>> >>>> We need to add an admin endpoints to add/update provider configs as well >>>> as >>>> making it possible to edit these through the admin console. We should >>>> add >>>> a method to the provider factory: >>>> >>>> * List<ConfigOption> getConfigOptions - this will return the >>>> configuration >>>> options the provider can support >>>> >>>> ConfigOption will include (we could also add support for validation): >>>> >>>> * String key >>>> * String label >>>> >>>> On the admin console I propose we add a Provider config page. The page >>>> will >>>> list out all available SPIs, once you select an SPI it will list out all >>>> available providers. You can then click on individual providers to get a >>>> form to edit the provider config. The form will use the getConfigOptions >>>> to know what labels/input fields to add. >>>> >>>> Further, we need to make some changes to KeycloakSession/ProviderFactory >>>> to >>>> support realm config. We could change >>>> ProviderFactory.create(KeycloakSession session) to >>>> ProviderFactory.create(KeycloakSession session, String realmId, >>>> Config.Scope realmConfig). This allows a provider to either share >>>> resources (i.e. connections) with multiple realms, or if it wants >>>> different connections per-realm it can handle that internally (for >>>> example >>>> in a map using realmId as the key). >>>> _______________________________________________ >>>> keycloak-dev mailing list >>>> keycloak-dev(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Tuesday, 22 July, 2014 4:57:37 PM Subject: Re: [keycloak-dev] Provider config On 7/22/2014 9:53 AM, Stian Thorgersen wrote: > > > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com&gt; >> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >> Cc: keycloak-dev(a)lists.jboss.org >> Sent: Tuesday, 22 July, 2014 2:43:11 PM >> Subject: Re: [keycloak-dev] Provider config >> >> Certain providers may have multiple instances/configs of themselves in >> the same realm. i.e. authentication providers (soon to be federation >> providers) which may be federating multiple different LDAP databases. >> Also, in the future, social may turn into a "federated broker SPI" where >> multiple generic federated broker providers can be configured per realm >> (i.e. SAML or other openid connections). > > Didn't consider that, we'll definitively need it > In my private fork, I pulled getProviderFactory methods from DefaultKeycloakSessionFactory up to KeycloakSessionFactory methods. Then defined my own specialized create methods. I don't use KeycloakSession.getProvider() anymore. >> >> I honestly don't want a generic "provider" admin console page where you >> generically configure the providers. I think it is a mistake. We're >> supposed to be making things easier and we should be making tailored >> console pages for what we ship out of the box. > > What about we allow configuring specific SPIs in the correct place, but > still use a form that is populated with labels/inputs from the providers > ConfigOptions? > LDAP config already doesn't fit into pure labels/inputs. IMO, rendering information belongs in HTML :) -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Tuesday, 22 July, 2014 8:49:02 PM Subject: Re: [keycloak-dev] Provider config That's doesn't necessarily my thoughts are any good though. I'll iterate you can reiterate I guess...

On 7/22/2014 12:19 PM, Stian Thorgersen wrote: > Sounds like you've thought about this more than me, so I'll leave it with > you to sort out ;) > > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com&gt; >> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >> Cc: keycloak-dev(a)lists.jboss.org >> Sent: Tuesday, 22 July, 2014 4:57:37 PM >> Subject: Re: [keycloak-dev] Provider config >> >> >> >> On 7/22/2014 9:53 AM, Stian Thorgersen wrote: >>> >>> >>> ----- Original Message ----- >>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>> Cc: keycloak-dev(a)lists.jboss.org >>>> Sent: Tuesday, 22 July, 2014 2:43:11 PM >>>> Subject: Re: [keycloak-dev] Provider config >>>> >>>> Certain providers may have multiple instances/configs of themselves in >>>> the same realm. i.e. authentication providers (soon to be federation >>>> providers) which may be federating multiple different LDAP databases. >>>> Also, in the future, social may turn into a "federated broker SPI" where >>>> multiple generic federated broker providers can be configured per realm >>>> (i.e. SAML or other openid connections). >>> >>> Didn't consider that, we'll definitively need it >>> >> >> In my private fork, I pulled getProviderFactory methods from >> DefaultKeycloakSessionFactory up to KeycloakSessionFactory methods. >> Then defined my own specialized create methods. I don't use >> KeycloakSession.getProvider() anymore. >> >> >>>> >>>> I honestly don't want a generic "provider" admin console page where you >>>> generically configure the providers. I think it is a mistake. We're >>>> supposed to be making things easier and we should be making tailored >>>> console pages for what we ship out of the box. >>> >>> What about we allow configuring specific SPIs in the correct place, but >>> still use a form that is populated with labels/inputs from the providers >>> ConfigOptions? >>> >> >> LDAP config already doesn't fit into pure labels/inputs. IMO, rendering >> information belongs in HTML :) >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com