[keycloak-dev] [Keycloak Operator] Modifying browserRedirectorIdentityProvider while creating a realm
Sebastian Laskawiec
slaskawi at redhat.com
Sat Nov 2 11:06:36 EDT 2019
Hey guys,
Peter is currently working on setting the "defaultProvider" configuration
parameter in the "identity-provider-redirector". The old Operator used this
functionality here [1] and Peter wanted to port it to the new Operator.
@Peter - if I may ask you - could you please describe the use case this is
being used in?
During our initial conversation, we agreed that we want to setup all Realm
bits in a single REST call. In other words - Keycloak Realm CR should match
exported realm JSON format. However, modifying existing browser flow hardly
first into this scenario. It would require sending a JSON with full list of
"authenticationFlows" as well as a full list of "authenticatorConfig"
objects (as Config is matched with an authentication flow using an id).
I experimented with an exported Realm and here's what I have [2]. As you
probably noticed - it's enormous and very fragile (as it contains many,
many options I have to set upfront).
Do you have any idea how to solve this? I have three options in my head:
1) Use a second REST call (after creating a Realm) and modify the
"authenticatorConfig". In other words - do everything exactly the same way
the old Operator did
2) Force users to embed the full Realm configuration every time they create
a Realm.
3) Create some sort of profiles in Keycloak. This way, when an Operator
uses proper profile, we set the "defaultProvider" to proper value
out-of-the-box.
Thanks,
Sebastian
[1]
https://github.com/integr8ly/keycloak-operator/blob/d97ee5de8c2b227d684ad5e8e8f50efb1a0fafa8/pkg/keycloak/realm/phaseHandler.go#L620
[2]
https://gist.github.com/slaskawi/79847124a268b94c8391e01f13b21409#file-keycloak-operator-browser-redirector-json-L404
More information about the keycloak-dev
mailing list