[keycloak-dev] UserProvider merged

Stian Thorgersen stian at redhat.com
Wed Jul 16 09:08:11 EDT 2014 

The idea for provider config was:

A provider can have a server-wide config (keycloak-server.json) as well as realm-specific configs. 

Server-wide config would at least initially be configured only through keycloak-server.json and would also require a server restart. We could look at making this configurable through admin console as well.

Realm specific config would be configurable through the admin console. You would go to a "Providers" tab in the admin console, then you'd have a menu that lists out all SPIs. So you would for example click on Sync. You could then configure which Sync providers are enabled for the Realm, as well as set configuration for them. With regards to config I thought key/value would be sufficient, and much simpler to deal with.
 
With that regards it would probably make sense that KeycloakSession would be bound to a specific realm so we could create Provider instances with the correct config.

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 16 July, 2014 1:59:51 PM
> Subject: Re: [keycloak-dev] UserProvider merged
> 
> 
> 
> On 7/16/2014 8:47 AM, Stian Thorgersen wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Wednesday, 16 July, 2014 1:27:21 PM
> >> Subject: Re: [keycloak-dev] UserProvider merged
> >>
> >>
> >>
> >> On 7/16/2014 4:23 AM, Stian Thorgersen wrote:
> >>>> * JPA and Mongo RealmEntity and UserEntity should be refactored to be
> >>>> attribute based as in the Hybrid model.  As Stian suggested, this will
> >>>> allow us flexibility in the future.
> >>>
> >>> I'd also like to have a generic configuration mechanism for providers.
> >>> This
> >>> would include being able to store configuration as well as change it
> >>> through the admin console.
> >>>
> >>> Potentially something I could work on while you guys do sync?
> >>>
> >>
> >> This would overlap with sync refactor.  Just a thought, except for our
> >> base LDAP support, would we want generic config mechanism in admin
> >> console?  What if user needs something more than name/value pairs for
> >> config?
> >
> 
> Re-reading what you wrote, maybe I misunderstood?  You want a generic
> way to store and manage keycloak-server.json through admin console?
> 
> 
> > Generic config mechanism for sync you mean?
> >
> 
> Yes.
> 
> I think sync is in two parts:
> 
> * A UserProvider.  For on-demand sync.
> * A "chron job" for periodic bulk sync.
> 
> Both would want generic config mechanism and realm-specific storage for
> this config.
> 
> > I was thinking it would be nice to have something available to all SPIs and
> > providers. Name/value pairs would be simplest with regards to storing and
> > also editing through the admin console.
> >
> 
> What are the security implications of this in a multi-tenant
> environment?  Might not want a specific realm admin to be able to modify
> keycloak-server.json
> 
> 
> What about just allowing user to enter in Json?
> 
> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>

More information about the keycloak-dev mailing list