[keycloak-dev] Provider config

Stian Thorgersen stian at redhat.com
Tue Jul 22 09:53:14 EDT 2014 


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 22 July, 2014 2:43:11 PM
> Subject: Re: [keycloak-dev] Provider config
> 
> Certain providers may have multiple instances/configs of themselves in
> the same realm.  i.e. authentication providers (soon to be federation
> providers) which may be federating multiple different LDAP databases.
> Also, in the future, social may turn into a "federated broker SPI" where
> multiple generic federated broker providers can be configured per realm
> (i.e. SAML or other openid connections).

Didn't consider that, we'll definitively need it

> 
> I honestly don't want a generic "provider" admin console page where you
> generically configure the providers.  I think it is a mistake.  We're
> supposed to be making things easier and we should be making tailored
> console pages for what we ship out of the box.

What about we allow configuring specific SPIs in the correct place, but still use a form that is populated with labels/inputs from the providers ConfigOptions?

> 
> 
> On 7/22/2014 9:16 AM, Stian Thorgersen wrote:
> > Maybe it'll make sense to have two types of providers? Server-scoped and
> > realm-scoped.
> >
> > ----- Original Message -----
> >> From: "Stian Thorgersen" <stian at redhat.com>
> >> To: "Bill Burke" <bburke at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Tuesday, 22 July, 2014 2:08:20 PM
> >> Subject: Re: [keycloak-dev] Provider config
> >>
> >>
> >>
> >> ----- Original Message -----
> >>> From: "Bill Burke" <bburke at redhat.com>
> >>> To: keycloak-dev at lists.jboss.org
> >>> Sent: Tuesday, 22 July, 2014 2:04:56 PM
> >>> Subject: Re: [keycloak-dev] Provider config
> >>>
> >>> Can you keep the KeycloakSesion/Provider SPIs backward compatible while
> >>> you do this?
> >>
> >> Do we need to? If we do it'll need some more thinking ;)
> >>
> >>>
> >>> On 7/22/2014 5:56 AM, Stian Thorgersen wrote:
> >>>> We need to add a generic provider config mechanism. It should be
> >>>> possible
> >>>> to configure providers at two levels:
> >>>>
> >>>> * Server - through keycloak-server.json
> >>>> * Realm  - through RealmProvider
> >>>>
> >>>> With regards to server we already have this. It requires editing the
> >>>> keycloak-server.json and restarting the server. IMO that's fine for now,
> >>>> and we can consider adding support for doing this at runtime through the
> >>>> admin console in the future.
> >>>>
> >>>> For realm config (which would be needed for ldap) I propose that we add
> >>>> a
> >>>> ProviderConfigModel to RealmProvider. The ProviderConfigModel consists
> >>>> of:
> >>>>
> >>>> * RealmModel realm
> >>>> * String spi
> >>>> * String provider
> >>>> * Map<String, String> config
> >>>>
> >>>> We need to add an admin endpoints to add/update provider configs as well
> >>>> as
> >>>> making it possible to edit these through the admin console. We should
> >>>> add
> >>>> a method to the provider factory:
> >>>>
> >>>> * List<ConfigOption> getConfigOptions - this will return the
> >>>> configuration
> >>>> options the provider can support
> >>>>
> >>>> ConfigOption will include (we could also add support for validation):
> >>>>
> >>>> * String key
> >>>> * String label
> >>>>
> >>>> On the admin console I propose we add a Provider config page. The page
> >>>> will
> >>>> list out all available SPIs, once you select an SPI it will list out all
> >>>> available providers. You can then click on individual providers to get a
> >>>> form to edit the provider config. The form will use the getConfigOptions
> >>>> to know what labels/input fields to add.
> >>>>
> >>>> Further, we need to make some changes to KeycloakSession/ProviderFactory
> >>>> to
> >>>> support realm config. We could change
> >>>> ProviderFactory.create(KeycloakSession session) to
> >>>> ProviderFactory.create(KeycloakSession session, String realmId,
> >>>> Config.Scope realmConfig). This allows a provider to either share
> >>>> resources (i.e. connections) with multiple realms, or if it wants
> >>>> different connections per-realm it can handle that internally (for
> >>>> example
> >>>> in a map using realmId as the key).
> >>>> _______________________________________________
> >>>> keycloak-dev mailing list
> >>>> keycloak-dev at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>>
> >>>
> >>> --
> >>> Bill Burke
> >>> JBoss, a division of Red Hat
> >>> http://bill.burkecentral.com
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>

More information about the keycloak-dev mailing list