[keycloak-dev] Authz Model Implementation

Bill Burke bburke at redhat.com
Mon Oct 19 10:15:51 EDT 2015


A lot of the PL APIs are going to go away.  We want tight and focused 
SPIs that leverage the rest of the Keycloak platform and vision.  Not 
broad generic APIs for rolling your own SSO solution.  We want something 
out of the box that for most cases a user doesn't have to be a Java 
programmer to use and deploy Keycloak.  You just have to have a focused 
and specific security model to provide an out of the box solution and 
focused vision.

That being said, what we've learned is that developers have broad and 
different requirements when it comes to authorization and permissions. 
This is where an API, backed by the authz server, would be very useful. 
  Pedro was involved with PLs permission APIs and I'm confident he has 
some really good ideas for evolving it.

On 10/19/2015 8:45 AM, Arthur Gregório wrote:
> Then KC will not have a model in the style of the PL?
>
> This means that those who used the PL hoping that everything in it was
> in KC turned out to have a framework discontinued and with no more updates?
>
> Or the PL as it exists today will continue to be developed and there
> will be a plus integration with KC?
>
> I am very confused by the merge of the projects, it appears that the
> security of my system already died before were born.
>
> at.,
>
> *Arthur P. Gregório*
> /+55 45 9958-0302/
> @gregorioarthur
> www.arthurgregorio.eti.br <http://www.arthurgregorio.eti.br>
>
> 2015-10-19 10:24 GMT-02:00 Pedro Igor Silva <psilva at redhat.com
> <mailto:psilva at redhat.com>>:
>
>     Hey Crhisthian,
>
>          As Bill said, we are working on an Authz Server for Keycloak in
>     order to provide fine-grained permissions. It is still a working in
>     progress, although we already have a baseline for a first release
>     which will happen very soon.
>
>          From a migration perspective, while PL provides a rich
>     Permission Java API, Keycloak will provide a distributable
>     authorization server based on a RESTful API to manage resources,
>     policies, evaluate policies, obtain entitlements and plus other
>     goodies. In other words, Keycloak will become a PAP (Policy
>     Administration Point), a PDP (Policy Decision Point) and a
>     Entitlements Server. Everything based on OpenID Connect (and of
>     course, oAuth2).
>
>          As you know, Keycloak is a feature rich, OOTB and easy to use
>     security as a service solution. We are considering these same
>     premises for the authz server, so you can protect web apps, RESTful
>     APIs or any other resources very easily. For instance, you'll be
>     able to write policies using JBoss Drools, EL and easily extend your
>     existing oAuth2 clients in order ask for permissions or enforce them
>     (in case your client acts as a resource server).
>
>          I'm afraid there will be no "migragration path" between PL and
>     KC, at this sense. But we can work together to make this migration
>     easier. For instance, we are going to provide a Protection API which
>     can be used to manage resources and policies remotely.
>
>     Regards.
>     Pedro Igor
>
>     ----- Original Message -----
>     From: "Cristhian Camilo Lopez" <calovi86 at gmail.com
>     <mailto:calovi86 at gmail.com>>
>     To: keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     Sent: Sunday, October 18, 2015 3:16:30 PM
>     Subject: Re: [keycloak-dev] Authz Model Implementation
>
>
>
>     Hi Pedro,
>
>     I'm migrating from Picketlink, but I haven't found the way to use
>     fine-grained permissions, Could u give me some advice on this ?
>
>     Thanks,
>
>     Cristhian.
>
>
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list