[keycloak-dev] Provider config
Bill Burke
bburke at redhat.com
Tue Jul 22 09:43:11 EDT 2014
Certain providers may have multiple instances/configs of themselves in
the same realm. i.e. authentication providers (soon to be federation
providers) which may be federating multiple different LDAP databases.
Also, in the future, social may turn into a "federated broker SPI" where
multiple generic federated broker providers can be configured per realm
(i.e. SAML or other openid connections).
I honestly don't want a generic "provider" admin console page where you
generically configure the providers. I think it is a mistake. We're
supposed to be making things easier and we should be making tailored
console pages for what we ship out of the box.
On 7/22/2014 9:16 AM, Stian Thorgersen wrote:
> Maybe it'll make sense to have two types of providers? Server-scoped and realm-scoped.
>
> ----- Original Message -----
>> From: "Stian Thorgersen" <stian at redhat.com>
>> To: "Bill Burke" <bburke at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Tuesday, 22 July, 2014 2:08:20 PM
>> Subject: Re: [keycloak-dev] Provider config
>>
>>
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: keycloak-dev at lists.jboss.org
>>> Sent: Tuesday, 22 July, 2014 2:04:56 PM
>>> Subject: Re: [keycloak-dev] Provider config
>>>
>>> Can you keep the KeycloakSesion/Provider SPIs backward compatible while
>>> you do this?
>>
>> Do we need to? If we do it'll need some more thinking ;)
>>
>>>
>>> On 7/22/2014 5:56 AM, Stian Thorgersen wrote:
>>>> We need to add a generic provider config mechanism. It should be possible
>>>> to configure providers at two levels:
>>>>
>>>> * Server - through keycloak-server.json
>>>> * Realm - through RealmProvider
>>>>
>>>> With regards to server we already have this. It requires editing the
>>>> keycloak-server.json and restarting the server. IMO that's fine for now,
>>>> and we can consider adding support for doing this at runtime through the
>>>> admin console in the future.
>>>>
>>>> For realm config (which would be needed for ldap) I propose that we add a
>>>> ProviderConfigModel to RealmProvider. The ProviderConfigModel consists
>>>> of:
>>>>
>>>> * RealmModel realm
>>>> * String spi
>>>> * String provider
>>>> * Map<String, String> config
>>>>
>>>> We need to add an admin endpoints to add/update provider configs as well
>>>> as
>>>> making it possible to edit these through the admin console. We should add
>>>> a method to the provider factory:
>>>>
>>>> * List<ConfigOption> getConfigOptions - this will return the
>>>> configuration
>>>> options the provider can support
>>>>
>>>> ConfigOption will include (we could also add support for validation):
>>>>
>>>> * String key
>>>> * String label
>>>>
>>>> On the admin console I propose we add a Provider config page. The page
>>>> will
>>>> list out all available SPIs, once you select an SPI it will list out all
>>>> available providers. You can then click on individual providers to get a
>>>> form to edit the provider config. The form will use the getConfigOptions
>>>> to know what labels/input fields to add.
>>>>
>>>> Further, we need to make some changes to KeycloakSession/ProviderFactory
>>>> to
>>>> support realm config. We could change
>>>> ProviderFactory.create(KeycloakSession session) to
>>>> ProviderFactory.create(KeycloakSession session, String realmId,
>>>> Config.Scope realmConfig). This allows a provider to either share
>>>> resources (i.e. connections) with multiple realms, or if it wants
>>>> different connections per-realm it can handle that internally (for
>>>> example
>>>> in a map using realmId as the key).
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list