[keycloak-dev] getting rid of master realm

Bill Burke bburke at redhat.com
Thu Dec 3 14:06:29 EST 2015


I'm thinking that getting rid of the master realm would allow us to 
clean up some things we've wanted to clean up for some time. Here's what 
I have in mind.

* There is no master realm
* Realm admins can create other realms
* You can set up trust from one realm to another.  Just realms that are 
stored in that keycloak deployment.  No remote stuff.
* To keep it simple, the admin console in the realm would just have a 
"Trust" tab somewhere with a list of realms you trust or want to trust. 
  When you trust a realm, any users that have admin roles in that 
trusted realm will have the same roles within the current realm.
* When users log into the admin console, the list of realms that trust 
the logged into realm will be listed as realms the user can manage.
* When a new realm is created, the new realm automatically trust the 
realm that created it.
* If there is a trust relationship impersonation will work no matter 
what realm it is
* We can remove the realm-management client in each realm and just merge 
the roles into security-admin-console.
* For migration, we just import the master realm and set up trust 
between the master realm and every other realm.


Once we do all this we can now look at satisfying the 
cannot-have-a-default-password requirement passed down by the security 
audit team.  We can have a welcome page that just asks "To create your 
first realm, click here".
-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list