[keycloak-dev] Client ID and Client ClientID - I propose we remove one

Marek Posolda mposolda at redhat.com
Thu Nov 19 07:52:59 EST 2015


+1 for this change.

I am just not sure if we should set the "id" to the current value of 
"client-id" ? Few things to note:

- SAML clients currently use clientId in form of URL. For example in 
SAML demo there are clientIds like "http://localhosT:8080/employee-sig" 
. I don't know if it's requirement, maybe it's possible to solve it 
somehow (ie. introduce different attribute for SAML client to store 
these URLs). But from what I remember, Bill changed admin console to use 
"id" instead of "clientId" because there were issues with URL-like 
clientId in admin console . So if we overwrite the "id" with current 
"client-id" the issue will be back.

- Migration might be a pain. Many tables (roles, protocolMappers, user 
consents, offline clientSessions ...) references client by "id" . 
Overwriting "id" with "client-id" means that we will need to change all 
those DB records. And there are things like foreign keys etc...

Shouldn't do vice-versa and just remove current "client-id" and ask 
people to update their keycloak.json adapter configurations? On the 
other hand, removing "client-id" might break migration of JSON exported 
realms as the JSON entities are using "client-id" for referencing client.

It seems the migration will be a pain regardless of whatever direction 
we choose :-(

Marek

On 16/11/15 14:54, Stian Thorgersen wrote:
> We have both "id" and "client-id" for clients in Keycloak at the 
> moment. This seems unnecessary and complex.
>
> The model can retrieve clients on either value. In token endpoints the 
> "client-id" is used. In admin endpoints the "id" is used.
>
> Also, in most cases it would be simpler for users to just have a 
> generated id than having to come up with one themselves. The id 
> doesn't have to be human readable either as we have name for that.
>
> OpenID Connect expects "client-id" to be generated by the IdP and 
> can't be changed once created.
>
> I propose we remove "client-id" and only keep id.
>
> For migration of existing clients we would set the "id" value to the 
> current value of "client-id". This would require no changes to adapter 
> configs. When creating new clients from the admin console we would not 
> allow setting the "client-id", instead just display it after the 
> client was created. When importing clients it would be possible to set 
> the id (and for backwards compatibility we would set "id" equal to the 
> "client-id" field.
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151119/7924b98b/attachment.html 


More information about the keycloak-dev mailing list