[keycloak-dev] [authz] REST and Java API need work

[Pedro Igor Silva]

On Sun, Mar 26, 2017 at 12:06 PM, Bill Burke <bburke at redhat.com> wrote:

> Authorization component of Keycloak is really cool and has a strong core
> base of functionality.  I think it needs another iteration though
> especially around the RESET interface and Java API.
>
> The REST interface is just too complex for anybody to use.  I'll give
> some examples:
>
> * To create a permission, you must create a PolicyRepresentation.
> Policy and Permission are overloaded and its unclear how to use the REST
> API to create concepts that exist in the admin console.


>
* To apply resources and scopes to a permission definition, you have to
> store a stringified JSON array into a regular JSON map.
>
> * In java api, Policy and Permission are also overloaded.  In data model
> policy and permission are also overloaded.  This makes it really unclear
> how to create a permission vs. just a plain policy.
>
>
> Suggestion:
>
> * Create a PermissionDefinitionRepresentation and pull core config
> optiosn (scopes, applied policies, resources) into actual fields rather
> than in a generic config map.
>

As we already discussed in a previous thread, policy management via REST
API is a TODO and we have a JIRA for this. Will work on it this week.


>
> * Leverage the ComponentModel API to store non-core configuration, i.e.
> policy type specific information.  It supports multi-valued hash maps
> and also has utilities in admin console for rendering this configuration
> data.
>

+1. Yeah, I really missed this capability. I will review this part of the
code and check how component model works.


>
> * Create a PermissionDefinition interface in storage API
>

I'm not willing to change model now .... But we can change the API to start
introducing this.

What do you say ?


>
> Bill
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>