[keycloak-dev] [authz] REST and Java API need work

Pedro Igor Silva psilva at redhat.com
Mon Mar 27 07:01:42 EDT 2017

On Sun, Mar 26, 2017 at 12:06 PM, Bill Burke <bburke at redhat.com> wrote:

> Authorization component of Keycloak is really cool and has a strong core
> base of functionality.  I think it needs another iteration though
> especially around the RESET interface and Java API.
> The REST interface is just too complex for anybody to use.  I'll give
> some examples:
> * To create a permission, you must create a PolicyRepresentation.
> Policy and Permission are overloaded and its unclear how to use the REST
> API to create concepts that exist in the admin console.

* To apply resources and scopes to a permission definition, you have to
> store a stringified JSON array into a regular JSON map.
> * In java api, Policy and Permission are also overloaded.  In data model
> policy and permission are also overloaded.  This makes it really unclear
> how to create a permission vs. just a plain policy.
> Suggestion:
> * Create a PermissionDefinitionRepresentation and pull core config
> optiosn (scopes, applied policies, resources) into actual fields rather
> than in a generic config map.

As we already discussed in a previous thread, policy management via REST
API is a TODO and we have a JIRA for this. Will work on it this week.

> * Leverage the ComponentModel API to store non-core configuration, i.e.
> policy type specific information.  It supports multi-valued hash maps
> and also has utilities in admin console for rendering this configuration
> data.

+1. Yeah, I really missed this capability. I will review this part of the
code and check how component model works.

> * Create a PermissionDefinition interface in storage API

I'm not willing to change model now .... But we can change the API to start
introducing this.

What do you say ?

> Bill
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list