[keycloak-dev] [authz] REST and Java API need work

Bill Burke bburke at redhat.com
Sun Mar 26 11:06:48 EDT 2017

Authorization component of Keycloak is really cool and has a strong core 
base of functionality.  I think it needs another iteration though 
especially around the RESET interface and Java API.

The REST interface is just too complex for anybody to use.  I'll give 
some examples:

* To create a permission, you must create a PolicyRepresentation.  
Policy and Permission are overloaded and its unclear how to use the REST 
API to create concepts that exist in the admin console.

* To apply resources and scopes to a permission definition, you have to 
store a stringified JSON array into a regular JSON map.

* In java api, Policy and Permission are also overloaded.  In data model 
policy and permission are also overloaded.  This makes it really unclear 
how to create a permission vs. just a plain policy.


* Create a PermissionDefinitionRepresentation and pull core config 
optiosn (scopes, applied policies, resources) into actual fields rather 
than in a generic config map.

* Leverage the ComponentModel API to store non-core configuration, i.e. 
policy type specific information.  It supports multi-valued hash maps 
and also has utilities in admin console for rendering this configuration 

* Create a PermissionDefinition interface in storage API


More information about the keycloak-dev mailing list