"executors": [
{
"executor": "pkce-enforce",
"configuration": {
"is-augment": "true"
}
},
{
"executor": "secure-client-authn",
"configuration": {
"client-authn": "client-jwt",
"is-augment": "true"
}
}
]
}
2) Add the configuration options as first-level citizens into JSON at
the same level like the "executor" option:
{
"name": "profile-basic",
"description": "Some profile description",
"builtin": false,
"executors": [
{
"executor": "pkce-enforce",
"is-augment": "true"
},
{
"executor": "secure-client-authn",
"client-authn": "client-jwt",
"is-augment": "true"
}
]
}
3) Make "executors" to NOT be an array, but object. And have the ID of
executor provider to be used as the keys inside the "executors" object.
This format is short and friendly IMO, however it has one limitation,
that you can't have more executors referring to same provider inside the
"Executors" field. This should not be an issue for the existing executor
and condition implementations,however I think that in general, this can
be an issue in the future. Due to this limitation, I am not in favor of
this option.
{
"name": "profile-basic",
"description": "Some profile description",
"builtin": false,
"executors": {
"pkce-enforce": {
"is-augment": "true"
},
"secure-client-authn": {
"client-authn": "client-jwt",
"is-augment": "true"
}
}
}
My preference is 2, 1, 3 and hence vote for 2 to be used. WDYT?
Marek
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/2ff18472-082b-a364-9f57-a2a0dcdd4076%40redhat.com.
The "builtin" profiles are always set by default when you create new realm. We discussed before that "builtin" profiles should not be saved as realm attributes as they just always exists. Administrator cannot CRUD builtin profiles, however he should be able to see builtin profiles in admin console IMO.
Currently it works like this:
- In the "Form" view in the admin console, the builtin profiles are shown to administrator and they are read-only to him
- In the JSON editor view, builtin profiles are also shown right
now in my admin console prototype. Hence this "builtin" field is
also shown to differentiate builtin from those, which were
manually added.
In theory, we can hide builtin profiles in JSON editor. This will
allow us to remove "builtin" field as all the profiles shown in
JSON would never be builtin. However my vote is to show both
"builtin" and "non-builtin" in the JSON and just throw the error
in case administrator tries to change something in the "builtin"
profile. Showing JSON for builtin profile can be useful for
example when administrator wants to copy some "builtin" profile
into new profile as he wants to just do some small change in the
builtin profile (Similar use-case why people use "copy
authentication flow" to copy from some of our builtin
authentication flows).
"executors": [
{
"executor": "pkce-enforce",
"configuration": {
"is-augment": "true"
}
},
{
"executor": "secure-client-authn",
"configuration": {
"client-authn": "client-jwt",
"is-augment": "true"
}
}
]
}
2) Add the configuration options as first-level citizens into JSON at
the same level like the "executor" option:
{
"name": "profile-basic",
"description": "Some profile description",
"builtin": false,
"executors": [
{
"executor": "pkce-enforce",
"is-augment": "true"
Can we come up with a better name for "is-augment" something that is a bit more obvious? "auto-configure" or something?
+1, so let's change to "auto-configure" :)
I also did not know what term "augment" means since this year when first saw this term used by Quarkus.
Marek
{
"name": "profile-basic",
"description": "Some profile description",
"builtin": false,
"executors": {
"pkce-enforce": {
"is-augment": "true"
},
"secure-client-authn": {
"client-authn": "client-jwt",
"is-augment": "true"
}
}
}
My preference is 2, 1, 3 and hence vote for 2 to be used. WDYT?
Marek
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/2ff18472-082b-a364-9f57-a2a0dcdd4076%40redhat.com.
For example, assume that in theory you have something like "Role
validator", which evaluates to true if user is member of specified
role. In case that this validator implementation supports just
single role, but administrator wants to have rule like "Validate
to true if user is member of role foo AND role bar", you would
need to add two instances of "role validator" - one for role "foo"
and one role "bar" .
This is not an issue for any of existing condition providers or executor providers, as for example "Condition role" allows to have array of roles. But I suppose it can be limitation in the future for some use-cases or implementations.
Also as pointed by Sebastian, ordering can be an issue with key-value pairs. To avoid potential issues with ordering etc, we can convert "executors" to an array as you pointed. So the variant of proposal 3 with executors as an array would look something like this:
}
This means "executors" as an array of JSONs where each JSON has just one key (like "pkce-enforce") and wrapping another inline JSON with the configuration. TBH the proposal 2 looks better to me than this one.
Marek