[keycloak-dev] Client ID and Client ClientID - I propose we remove one
Marek Posolda
mposolda at redhat.com
Thu Nov 19 07:52:59 EST 2015
+1 for this change.
I am just not sure if we should set the "id" to the current value of
"client-id" ? Few things to note:
- SAML clients currently use clientId in form of URL. For example in
SAML demo there are clientIds like "http://localhosT:8080/employee-sig"
. I don't know if it's requirement, maybe it's possible to solve it
somehow (ie. introduce different attribute for SAML client to store
these URLs). But from what I remember, Bill changed admin console to use
"id" instead of "clientId" because there were issues with URL-like
clientId in admin console . So if we overwrite the "id" with current
"client-id" the issue will be back.
- Migration might be a pain. Many tables (roles, protocolMappers, user
consents, offline clientSessions ...) references client by "id" .
Overwriting "id" with "client-id" means that we will need to change all
those DB records. And there are things like foreign keys etc...
Shouldn't do vice-versa and just remove current "client-id" and ask
people to update their keycloak.json adapter configurations? On the
other hand, removing "client-id" might break migration of JSON exported
realms as the JSON entities are using "client-id" for referencing client.
It seems the migration will be a pain regardless of whatever direction
we choose :-(
Marek
On 16/11/15 14:54, Stian Thorgersen wrote:
> We have both "id" and "client-id" for clients in Keycloak at the
> moment. This seems unnecessary and complex.
>
> The model can retrieve clients on either value. In token endpoints the
> "client-id" is used. In admin endpoints the "id" is used.
>
> Also, in most cases it would be simpler for users to just have a
> generated id than having to come up with one themselves. The id
> doesn't have to be human readable either as we have name for that.
>
> OpenID Connect expects "client-id" to be generated by the IdP and
> can't be changed once created.
>
> I propose we remove "client-id" and only keep id.
>
> For migration of existing clients we would set the "id" value to the
> current value of "client-id". This would require no changes to adapter
> configs. When creating new clients from the admin console we would not
> allow setting the "client-id", instead just display it after the
> client was created. When importing clients it would be possible to set
> the id (and for backwards compatibility we would set "id" equal to the
> "client-id" field.
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151119/7924b98b/attachment.html
More information about the keycloak-dev
mailing list