[keycloak-dev] UserProvider merged

Wed Jul 16 08:59:51 EDT 2014

On 7/16/2014 8:47 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Wednesday, 16 July, 2014 1:27:21 PM
>> Subject: Re: [keycloak-dev] UserProvider merged
>>
>>
>>
>> On 7/16/2014 4:23 AM, Stian Thorgersen wrote:
>>>> * JPA and Mongo RealmEntity and UserEntity should be refactored to be
>>>> attribute based as in the Hybrid model.  As Stian suggested, this will
>>>> allow us flexibility in the future.
>>>
>>> I'd also like to have a generic configuration mechanism for providers. This
>>> would include being able to store configuration as well as change it
>>> through the admin console.
>>>
>>> Potentially something I could work on while you guys do sync?
>>>
>>
>> This would overlap with sync refactor.  Just a thought, except for our
>> base LDAP support, would we want generic config mechanism in admin
>> console?  What if user needs something more than name/value pairs for
>> config?
>

Re-reading what you wrote, maybe I misunderstood?  You want a generic 
way to store and manage keycloak-server.json through admin console?

> Generic config mechanism for sync you mean?
>

Yes.

I think sync is in two parts:

* A UserProvider.  For on-demand sync.
* A "chron job" for periodic bulk sync.

Both would want generic config mechanism and realm-specific storage for 
this config.

> I was thinking it would be nice to have something available to all SPIs and providers. Name/value pairs would be simplest with regards to storing and also editing through the admin console.
>

What are the security implications of this in a multi-tenant 
environment?  Might not want a specific realm admin to be able to modify 
keycloak-server.json

What about just allowing user to enter in Json?

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com