[keycloak-dev] redesign of federation
Marek Posolda
mposolda at redhat.com
Tue Nov 3 02:44:09 EST 2015
On 30/10/15 23:13, Bill Burke wrote:
> In doing group model, I was thinking more about federation. Our SPI
> kinda sucks. I was thinking that local storage (Model API) and
> UserFederation should be the same exact SPI. Instead of just
> RealmProvider and UserProvider, we might break it up into:
>
> * RealmProvider - holds realms and clients
> * UserProvider - holds username and attributes about the user
> * UserRelationshipProvider - holds user role mappings, user group membership
> * UserCredentialProvider - stores and authenticates credentials
> * GroupProvider - holds group definitions
> * RoleProvider - holds role definitions
+1 for adding GroupProvider and RoleProvider. That seems to me like big
limitation of current federation provider, that it's not able to handle
CRUD of roles into the external storage.
But I might be missing why we need 3 separate "user" providers? It seems
that current model can handle well the user attributes, relationships
and credentials? Once UserFederationProvider returns the proxy object,
you can implement CRUD of relationships and credentials in the proxy
object itself?
>
> One of the big problems we have is that roles and groups have to be
> defined within Keycloak DB even though they might live in one or more
> external stores.
>
> Admin console would have to change too. You'd have to pick which
> database you wanted to manage. i.e. if you wanted to add a role you
> might want to add it to an LDAP store and not local storage.
Hmm... shouldn't we have same pattern like for user federation? So the
role and group will be always added to "local" DB, but additionally
synced to the external DB? Thing is that external storage may not be
able to save all the metadata we have for roles and groups. Also we need
some reference (roleID, groupID) to be available in Keycloak.
From my LDAP experience, the CRUD of relationships is not a problem, as
you can return UserModel proxy where you can override the relationship
CRUD methods (grantRole, deleteRoleMapping, getRoleMappings,
hasRole...). The problem is the CRUD of roles itself. When you create
new role in Keycloak admin console, it's saved into LDAP during first
call of "grantRole" . So this direction is quite fine. But the LDAP to
Keycloak direction is much worse. In other words,when new role is added
in LDAP, there is no way to notify Keycloak about it.
Marek
>
> This is something we'd really have to map out and design. I would love
> to be able to do it before product, but I don't think we'll have enough
> time to bake it in community. Maybe something we'll have to wait for
> Keycloak 2.0.
>
More information about the keycloak-dev
mailing list