[keycloak-dev] Keycloak subsystem
Bill Burke
bburke at redhat.com
Mon Dec 9 14:39:25 EST 2013
Yes, definitely all features I envisioned we would have. The only thing
I'm not sure how to handle is application credentials. I think
Picketlink is doing something very similar via WS Trust. Not sure
though as I've stayed clear from WS-* pretty much.
OAuth protocol requires that applications ("clients") have their own
credentials. They send these credentials when an Auth Code is turned
into an Auth Token. Maybe we need something like a "Server Instance"
that is allowed to request auth tokens on behalf of an application.
On 12/9/2013 2:19 PM, ssilvert at redhat.com wrote:
> In Thunderlips, we have a requirement that console applications should
> not be required to know where the Keycloak server resides at build
> time. Furthermore, an administrator should not need to crack open a WAR
> to include this information. Instead, the application should learn
> about its environment at deploy time.
>
> Picketlink already has this capability, but I think we can go beyond
> what it currently offers. The basic idea for the Keycloak subsystem is
> that no application should ever need to define anything about
> authentication. At development time, the application should not need to
> know anything about Keycloak or really anything about authentication at
> all. The application should only need to know about authorization and
> the roles it wants to define.
>
> So using the Keycloak subsystem, an application will not be required to use:
> * keycloak.json
> * jboss-web.xml
> * jboss-deployment-structure.xml
> (Did I leave anything out? It looks like this is what an app currently
> needs to work with Keycloak.)
>
>>From the Keycloak admin UI, you will be able to choose an application
> and add it to a Keycloak realm. When that application is deployed, the
> Keycloak subsystem adds all that used to be defined in keycloak.json,
> jboss-web.xml, and jboss-deployment-structure.xml.
>
> The big picture is that a developer never needs to think about
> authentication. And an administrators never need to crack open a WAR or
> worry about what authentication was built into some WAR he wants to deploy.
>
> WDYT?
>
> Stan
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list