[keycloak-dev] [Keycloak Operator] Modifying browserRedirectorIdentityProvider while creating a realm
Peter Braun
pbraun at redhat.com
Mon Nov 4 03:44:07 EST 2019
Hey,
we are using this feature in RHMI to configure the browser authentication
flow for the user facing RHSSO instance (the one that customers can use in
their own projects as opposed to the cluster wide SSO for middleware
services).
The options were to make the required REST calls in our installer or add
this convenience feature to the operator and we decided for the latter.
As to how it should work in the future, my thoughts are: Option 3 would be
ideal while 1 seems acceptable. Option 2 is not really acceptable because
the JSON required is very cumbersome and would require us to include Id's
which is not something an end user should do.
Regards,
Peter
On Sat, Nov 2, 2019 at 4:07 PM Sebastian Laskawiec <slaskawi at redhat.com>
wrote:
> Hey guys,
>
> Peter is currently working on setting the "defaultProvider" configuration
> parameter in the "identity-provider-redirector". The old Operator used this
> functionality here [1] and Peter wanted to port it to the new Operator.
> @Peter - if I may ask you - could you please describe the use case this is
> being used in?
>
> During our initial conversation, we agreed that we want to setup all Realm
> bits in a single REST call. In other words - Keycloak Realm CR should match
> exported realm JSON format. However, modifying existing browser flow hardly
> first into this scenario. It would require sending a JSON with full list of
> "authenticationFlows" as well as a full list of "authenticatorConfig"
> objects (as Config is matched with an authentication flow using an id).
>
> I experimented with an exported Realm and here's what I have [2]. As you
> probably noticed - it's enormous and very fragile (as it contains many,
> many options I have to set upfront).
>
> Do you have any idea how to solve this? I have three options in my head:
> 1) Use a second REST call (after creating a Realm) and modify the
> "authenticatorConfig". In other words - do everything exactly the same way
> the old Operator did
> 2) Force users to embed the full Realm configuration every time they
> create a Realm.
> 3) Create some sort of profiles in Keycloak. This way, when an Operator
> uses proper profile, we set the "defaultProvider" to proper value
> out-of-the-box.
>
> Thanks,
> Sebastian
>
> [1]
> https://github.com/integr8ly/keycloak-operator/blob/d97ee5de8c2b227d684ad5e8e8f50efb1a0fafa8/pkg/keycloak/realm/phaseHandler.go#L620
> [2]
> https://gist.github.com/slaskawi/79847124a268b94c8391e01f13b21409#file-keycloak-operator-browser-redirector-json-L404
>
More information about the keycloak-dev
mailing list