[keycloak-dev] redesign of federation
Bill Burke
bburke at redhat.com
Fri Oct 30 18:13:23 EDT 2015
In doing group model, I was thinking more about federation. Our SPI
kinda sucks. I was thinking that local storage (Model API) and
UserFederation should be the same exact SPI. Instead of just
RealmProvider and UserProvider, we might break it up into:
* RealmProvider - holds realms and clients
* UserProvider - holds username and attributes about the user
* UserRelationshipProvider - holds user role mappings, user group membership
* UserCredentialProvider - stores and authenticates credentials
* GroupProvider - holds group definitions
* RoleProvider - holds role definitions
One of the big problems we have is that roles and groups have to be
defined within Keycloak DB even though they might live in one or more
external stores.
Admin console would have to change too. You'd have to pick which
database you wanted to manage. i.e. if you wanted to add a role you
might want to add it to an LDAP store and not local storage.
This is something we'd really have to map out and design. I would love
to be able to do it before product, but I don't think we'll have enough
time to bake it in community. Maybe something we'll have to wait for
Keycloak 2.0.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list