[keycloak-dev] provisioning/bootstrapping/installing Keycloak

Bill Burke bburke at redhat.com
Thu Sep 19 19:33:32 EDT 2013 

How will Keycloak be provisioned, bootstrapped, configured?
How will Keycloak look the first time somebody uses it?

This are the questions I need answers to.

We discussed earlier that a SaaS for identity is probably not a good 
idea.  For both security and performance reasons, Keycloak should not 
support multitenancy between multiple accounts.  For a cloud 
environment, we will instead deploy Keycloak as a cartridge for a 
specific Openshift account.

How this effects the current code-base is that there would be no SaaS 
login/registration pages.  Another thing is, Stian correctly suggested 
that the admin UI and admin REST services should be deployed and secured 
by the token service as an Application under a realm.  Both of these 
things effect the design of the admin UI as well as provisioning, 
installation, and bootstrapping

Knowing this there are two routes we can take.

Option #1: Multiple Realms per Keycloak Deployment (our current codebase)
Option #2: One Realm per Keycloak Deployment

Let's talk about Option #2 because I think it has the potential to make 
things really clean.  From both a UI perspective and 
installation/bootstrapping perspective.

* The admin UI would be simplified as you would not have to have buttons 
for creating realms or UI elements for switching between realms.  Since 
we want realm adminstration to be secured by the realm itself, adding 
new realm admins is the same as managing any other user in the system. 
If we allowed multiple realms per keycloak deployment, then we would 
need the concept of a super user and separate UI elements for managing them.

* Installation/packaging Keycloak becomes simpler in the non-cloud case. 
  Keycloak would come pre-configured with a realm and a default admin 
user for that realm with a known password.  You would just boot up 
Keycloak and try to login in.  The admin user would force the user to 
enter in a new password before they started using Keycloak.

* Provisioning on Openshift would also be simpler too, since the realm 
name could map to a DNS name.  myrealm-user.rhcloud.com

One realm per deployment doesn't mean that we would model it in the 
database that way.  The data model would still support multi-tenancy 
which means you could share a database between Keycloak deployments.

Thoughts?


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list