[keycloak-dev] M1 release scope

Stian Thorgersen stian at redhat.com
Thu Sep 19 05:10:17 EDT 2013


I think we need to have:

* REST endpoints for admin tasks - managing realms, applications and users - it should be possible to authenticate to these using TokenService
* REST endpoints for user tasks - login, register, change password, etc. - same again authenticate using TokenService
* Document all REST endpoints
* Forms for required user actions - register, verify email, reset password, update profile (for social)

The admin console could be (and should be IMO) separated out completely. To enable it you would register it as an application with the Keycloak server and configure it in the same way as you use any other application. This way it can be released separately to the main Keycloak server (and also deployed separately). I also think we should get rid of the authentication parts in SaasService and use TokenService instead. This is to reduce the duplicated effort, and also I think that's the correct approach in either case - the admin console (and any other consoles, cli, etc.) should just be applications registered with Keycloak and use public rest endpoints for authentication and to manage realms/apps/users.

It would be nice to have the user account management pages as well, but this should definitively be a feature that can be dropped depending on resources and time. Users can't be expected to use REST endpoints, but admins could (at least for m1, and with some examples for editing realms, users, etc. with curl).

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Thursday, 19 September, 2013 2:11:18 AM
> Subject: [keycloak-dev] M1 release scope
> 
> We need to decide what we want to do for M1.  Here's my stab at it.
> Let's discuss in email first as much as we can and then have a hangout
> sometime next week to go over it and nail things down.
> 
> First and foremost.  We have to focus.  No new features.  No playing
> around.  For example:  no adding refresh token support.  No client-cert
> support.  No changes to protocols. No new backends.  Let's just use
> Picketlink JDBC.  No 'forgot password' using SMS, etc... You get the
> picture.
> 
> Required:
> 
> * Social Broker login with as many providers as possible.  Minimally
> Google and Facebook.
> * SSO and SLO (Single Log Out)
> * Password and TOTP login
> * OAuth Client Grant support
> * Example with apps using all o these features
> * Keycloak website setup and finalized
> * Online video walking through a demonstration of features
> * Online video walking though how to configure it
> * JBoss 7.1.x Community and JBoss EAP 6.1 support
> 
> Knowing this there are two paths we can take.  We can either include an
> Admin UI in M1 or not.  IMO, if we do *NOT* have an Admin UI for M1, we
> probably need to not have registration or account management.  Here's
> what it might look like:
> 
> Option #1: No Input UIs
> 
> * A read-only XML/JSON file-based backend.  Users must edit this to add
> users, roles, etc...
> * No Admin UI
> * No Registration, forgotten passwords, account management.  All these
> require runtime updates to the database.
> * What would we do about social though?  As it requires registration?
> 
> Work required (time estimates could take shorter or longer depending on
> interruptions):
> * 1-2 man-weeks to do file-based back-end
> * 1-5 days to design the OAuth Grant Pages.
> * 1 day to incorporate Grant pages
> * Do we want fancier demo apps to show SSO and OAuth Grants?  If so,
> this is minimum 2 weeks.  1 to get Event Juggler hooked into Keycloak.
> 1+ weeks to create another related SSO application.  1+ more to create
> an OAuth application.
> * 1 week to organize the Website and create demo videos.
> * 1-2 weeks for documentation
> * 1+ weeks to decide and implement how we're going to distribute
> keycloak.  Will it be a AS7 and/or EAP distro?  A WAR?  etc...
> 
> So best case scenario is end of October.  It would minimally require
> myself and Gabriel.  Others would be needed if we want fancier demo apps
> as it is beyond my ability to create a nice looking demo app in a short
> period of time.
> 
> Option #2: UIs
> 
> This would take a lot more work as we would need to finish up the admin,
> registration, and account management UIs.  I'd say Christmas time would
> be a viable M1 release for this.  This would require everybody.
> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list