Replies: 4 comments 4 replies
-
|
I love the idea, but feels like there's some conceptual overlap with the Client Policies being worked as part of the FAPI efforts and their Client Conformance Profiles. Certainly agree that the proposed features are valuable. |
Beta Was this translation helpful? Give feedback.
-
|
Could you elaborate? I can't see the overlap. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
|
The existing client policies' executor can enforce/validate some client settings. However, the solution by Client Types is more straightforward. |
Beta Was this translation helpful? Give feedback.
-
|
Yup, I see client types and client policies as more complimentary than overlapping |
Beta Was this translation helpful? Give feedback.
-
|
What parts of the current client configuration would be part of the client type configuration? Everything under Settings+Roles+Client Scopes+Mappers+Scope? Or just Settings? |
Beta Was this translation helpful? Give feedback.
-
|
I'd certainly like it to be everything, including things like disable ability to add mappers for a client, having an option to only select for a limited set of client scopes, etc. |
Beta Was this translation helpful? Give feedback.
-
|
Added follow-up discussion #9066 with some more concrete examples of JSON format and some other more "fine-grained" considerations (EG. how to show client types in the admin console). |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
It can be quite complicated to create clients in Keycloak as there are a large amount of configuration options available for a client. As an example let's imagine 3 different use-cases for clients:
For all 3 cases to create the client a user needs to know a lot of details on how to configure a client to fit the above use-cases.
Now imagine you created 1000 clients for SPAs and you realised you made a mistake in how you configured them. Or, you simply want all to have some consistent config. The only way to do that would be to go through each client through the Admin Console or REST API, and update/verify the config.
In addition it is rather hard to manage large amount of clients, as there's no way to distinguish which clients fill which use-cases as mentioned above. For example if you want to find all "service accounts" the only way to do that is to iterate over all clients, to identify those that only have service account support enabled, and not configuration that allows other use-cases.
A solution to these problems would come by introducing a concept of client types in Keycloak. A client type would:
When creating a new client it is possible to select either the generic type, or a specific client type. When creating a client of a specific type the options on how to configure it would be limited.
To define new client types we'd want:
Custom client types can be deployed to the server globally, or declarative types could also be configured for individual realms.
At an implementation level a ClientType would wrap a ClientModel, in order to augment the config and also to validate new clients and updates to clients. A ClientType would also provide metadata to the Admin Console so it can show only relevant configuration options.
Implementation of client types should be split into multiple milestones:
Beta Was this translation helpful? Give feedback.
All reactions