[keycloak-dev] M1 release scope

Marek Posolda mposolda at redhat.com
Thu Sep 19 04:37:39 EDT 2013 

btw. Picketlink has possibility to use LDAP and File based backends and 
we can easily support this possibility if we use XML based configuration 
http://docs.jboss.org/picketlink/2/latest/reference/html/ch06.html#idm_configuration_from_xml_file 
. I've contributed XML configuration of IDM to Picketlink, so I can 
easily adapt it to Keycloak if you want.

We will just need to upgrade Picketlink from 2.5.0.Beta6 to newest 
2.5.2.Final. I think we need to upgrade anyway to have all the bugfixes 
applied. I am aware at least of this quite bad security issue 
https://issues.jboss.org/browse/PLINK-258 which is in 2.5.0.Beta6 (I 
found this one when inspecting Keycloak Picketlink DB content).

Marek

On 19.9.2013 10:28, Marek Posolda wrote:
> On 19.9.2013 03:11, Bill Burke wrote:
>> We need to decide what we want to do for M1.  Here's my stab at it.
>> Let's discuss in email first as much as we can and then have a hangout
>> sometime next week to go over it and nail things down.
>>
>> First and foremost.  We have to focus.  No new features.  No playing
>> around.  For example:  no adding refresh token support.  No client-cert
>> support.  No changes to protocols. No new backends.  Let's just use
>> Picketlink JDBC.  No 'forgot password' using SMS, etc... You get the
>> picture.
> At this moment, I have working MongoDB backend and I would like to send
> PR with it by the end of this week. I just need to adapt this with
> latest changes in RealmModel and UserModel interfaces (added new fields
> related to requiredActions and totp).
>
> TBH I don't know why to not have it as part of M1? I am not seeing any
> disadvantages for people to have possibility to choose from more
> backends? Another thing is that it is easier for people to see or edit
> DB content directly in MongoDB database. Of course it's not so easy as
> directly edit XML/JSON file, but much easier than Picketlink IDM DB
> schema, which is quite complex.
>
> I am seeing just one disadvantage that every change in model interfaces
> needs to be adapted to both backend implementations, but you can always
> workaround this by implement stuff just for Picketlink and create JIRA
> for me to adapt changes to MongoDB backend. I can also disable MongoDB
> unit tests by default (ATM I have them enabled by default in my branch)
>
> Marek
>
>> Required:
>>
>> * Social Broker login with as many providers as possible.  Minimally
>> Google and Facebook.
>> * SSO and SLO (Single Log Out)
>> * Password and TOTP login
>> * OAuth Client Grant support
>> * Example with apps using all o these features
>> * Keycloak website setup and finalized
>> * Online video walking through a demonstration of features
>> * Online video walking though how to configure it
>> * JBoss 7.1.x Community and JBoss EAP 6.1 support
>>
>> Knowing this there are two paths we can take.  We can either include an
>> Admin UI in M1 or not.  IMO, if we do *NOT* have an Admin UI for M1, we
>> probably need to not have registration or account management.  Here's
>> what it might look like:
>>
>> Option #1: No Input UIs
>>
>> * A read-only XML/JSON file-based backend.  Users must edit this to add
>> users, roles, etc...
>> * No Admin UI
>> * No Registration, forgotten passwords, account management.  All these
>> require runtime updates to the database.
>> * What would we do about social though?  As it requires registration?
>>
>> Work required (time estimates could take shorter or longer depending on
>> interruptions):
>> * 1-2 man-weeks to do file-based back-end
>> * 1-5 days to design the OAuth Grant Pages.
>> * 1 day to incorporate Grant pages
>> * Do we want fancier demo apps to show SSO and OAuth Grants?  If so,
>> this is minimum 2 weeks.  1 to get Event Juggler hooked into Keycloak.
>> 1+ weeks to create another related SSO application.  1+ more to create
>> an OAuth application.
>> * 1 week to organize the Website and create demo videos.
>> * 1-2 weeks for documentation
>> * 1+ weeks to decide and implement how we're going to distribute
>> keycloak.  Will it be a AS7 and/or EAP distro?  A WAR?  etc...
>>
>> So best case scenario is end of October.  It would minimally require
>> myself and Gabriel.  Others would be needed if we want fancier demo apps
>> as it is beyond my ability to create a nice looking demo app in a short
>> period of time.
>>
>> Option #2: UIs
>>
>> This would take a lot more work as we would need to finish up the admin,
>> registration, and account management UIs.  I'd say Christmas time would
>> be a viable M1 release for this.  This would require everybody.
>>
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list