[keycloak-dev] new provider deployer working on branch!

Bill Burke bburke at redhat.com
Wed Aug 10 18:42:02 EDT 2016 


On 8/10/16 5:14 PM, Dmitry Telegin wrote:
> Hi,
>
>> As a side note, one thing I could look into is the ability to use
>> @Inject of a KeycloakSession.  Developer could then write entire web
>> applications that are deployed separately and worked with the keycloak
>> API directly.  @Inject KeycloakSession would work similarly to
>> @PersistenceContexts EntityManager.
> Sounds incredibly cool! From my practice I can say that applications 
> often need to perform queries on an IdM layer; such queries can make 
> an essential part of application's business logic (ex., "retrieve all 
> the members of groups the current user is a member of"). For that, 
> native KeyCloak API seems to be much more convenient than REST.
>
> But if I get it right, this will be limited to webapps deployed to the 
> same WildFly instance. Do you think this approach could be 
> nevertheless extended to webapps running in separate JVMs/appservers, 
> or REST is the only option here?
>
Will only be able to deploy extensions on the servers Keycloak runs on.  
Otherwise, REST API would have to be used

For very good reason, we are dependent on Wildfly/JBoss for JTA, 
deployers, management, clustering, caching, etc.  It is just way too 
much effort to make all that infrastructure pluggable.  So no way we 
could provide extensions within a separate JVM or vendor app server.  We 
could eventually allow the Keycloak subsystem to turn off various 
services, but this subsystem would need to run in the same cluster as 
the SSO server or you could easily end up with stale caches.
> Looking forward, as soon as JSR-375 is ready, do you think KeyCloak 
> could adopt it?
>
Just taking a quick look, I would say not for a very long time.  Its 
unclear to me what it is.  Is it a JASPIC redo?  Or a role-your-own 
IDP?  For the former, EE 8 won't be widely available for years, so whats 
the point?  JASPIC sucks and is implemented different on every 
platform.  As for the former, that is just not a viable direction for 
any spec to go as every "identity store" has its own peculiarities.  
What you need is a well defined model and you integrate with that well 
defined model.  Something too generic is useless.

Bill

More information about the keycloak-dev mailing list