Feedback about new org for Gatekeeper
1,120 views
Skip to first unread message
Bruno Oliveira
Apr 6, 2020, 1:14:45 PM4/6/20
to keyclo...@googlegroups.com
Good afternoon,
We're evaluating the possibility of moving Gatekeeper out of Keycloak
organization, to a dedicated organization. The motivation behind this
is to join the efforts with other companies and individual
contributors to build a neutral and fully standard-based proxy
solution to provide a great experience for application developers, by
having a separate governance structure detached from the Keycloak org.
Part of the Keycloak team will be working full time on it in
collaboration with companies and external contributors. Before moving
forward with any plans, we would like to hear your thoughts on this.
Note: I'm sending this email to each contributor that dedicated some
time to Gatekeeper.
--
- abstractj
We're evaluating the possibility of moving Gatekeeper out of Keycloak
organization, to a dedicated organization. The motivation behind this
is to join the efforts with other companies and individual
contributors to build a neutral and fully standard-based proxy
solution to provide a great experience for application developers, by
having a separate governance structure detached from the Keycloak org.
Part of the Keycloak team will be working full time on it in
collaboration with companies and external contributors. Before moving
forward with any plans, we would like to hear your thoughts on this.
Note: I'm sending this email to each contributor that dedicated some
time to Gatekeeper.
--
- abstractj
Jan Garaj
Apr 6, 2020, 2:09:40 PM4/6/20
to Keycloak Dev
Who will be in that new separate governance structure?
Keycloak org is authority with pretty solid authentication/authorization
knowledge and I would like to be sure, that there still be authority,
which will reject any out of standard pull requests.
Joel Speed
Apr 7, 2020, 9:49:17 AM4/7/20
to Keycloak Dev
Hi All,
Wanted to chime in here as the lead maintainer and representative of the oauth2-proxy[1] project.
I was approached by the Keycloak team late 2019 to broach the idea of a potential collaboration.
OAuth2-Proxy and Keycloak Gatekeeper ultimately occupy the same space within the ecosystem, though the projects historically have been rather different.
While Keycloak Gatekeeper has had backing from Red Hat, the OAuth2 Proxy was originally abandoned by Bitly, then adopted into Pusher for a bit, and is now independent and maintained by myself and couple of others when they have the time.
This means the two teams have very different experiences when it comes to the shapes of the projects, the resources available and the needs of the users of the projects.
For me, this collaboration gives many new opportunities for both sides:
- Experiences from both organisations will help to build a better product, and ideally, users of both projects can unite on this new project when it is ready
- By moving to a new organisation, it is clear that this is an effort driven by a community and not a single company as it has been for both projects historically
- Combining teams deduplicates the work that we would otherwise be doing individually and spreads the load across more maintainers
While there is still a lot to be decided about how the project is going to move forward, I am personally really excited about this and dedicating as much time as I can to make sure we progress with this at a reasonable pace.
As for governance and authority on keeping the project based on standards, I think this is something that is still to be discussed, @Bruno do you have any thoughts on that?
Happy to field any questions on the topic from my perspective if that's useful,
--
Joel
Bruno Oliveira
Apr 7, 2020, 10:20:09 AM4/7/20
to Joel Speed, Keycloak Dev
+1
On Tue, Apr 7, 2020 at 10:49 AM Joel Speed <jsp...@redhat.com> wrote:
>
> Hi All,
>
> Wanted to chime in here as the lead maintainer and representative of the oauth2-proxy[1] project.
>
> I was approached by the Keycloak team late 2019 to broach the idea of a potential collaboration.
> OAuth2-Proxy and Keycloak Gatekeeper ultimately occupy the same space within the ecosystem, though the projects historically have been rather different.
>
> While Keycloak Gatekeeper has had backing from Red Hat, the OAuth2 Proxy was originally abandoned by Bitly, then adopted into Pusher for a bit, and is now independent and maintained by myself and couple of others when they have the time.
> This means the two teams have very different experiences when it comes to the shapes of the projects, the resources available and the needs of the users of the projects.
>
> For me, this collaboration gives many new opportunities for both sides:
> - Experiences from both organisations will help to build a better product, and ideally, users of both projects can unite on this new project when it is ready
> - By moving to a new organisation, it is clear that this is an effort driven by a community and not a single company as it has been for both projects historically
> - Combining teams deduplicates the work that we would otherwise be doing individually and spreads the load across more maintainers
>
> While there is still a lot to be decided about how the project is going to move forward, I am personally really excited about this and dedicating as much time as I can to make sure we progress with this at a reasonable pace.
>
> As for governance and authority on keeping the project based on standards, I think this is something that is still to be discussed, @Bruno do you have any thoughts on that?
Indeed, this is still something to be discussed. And I agree with Joel
on all the opportunities we have with this effort. We are joining
forces to build a healthier and better project, by benefiting from the
experience of both organizations and communities.
>
> Happy to field any questions on the topic from my perspective if that's useful,
>
> --
>
> Joel
>
> [1]: https://github.com/oauth2-proxy/oauth2-proxy/
>
>
> On Monday, April 6, 2020 at 7:09:40 PM UTC+1, Jan Garaj wrote:
>>
>> Who will be in that new separate governance structure?
>> Keycloak org is authority with pretty solid authentication/authorization
>> knowledge and I would like to be sure, that there still be authority,
>> which will reject any out of standard pull requests.
>>
>> On Monday, April 6, 2020 at 7:14:45 PM UTC+2, Bruno Oliveira wrote:
>>>
>>> Good afternoon,
>>>
>>> We're evaluating the possibility of moving Gatekeeper out of Keycloak
>>> organization, to a dedicated organization. The motivation behind this
>>> is to join the efforts with other companies and individual
>>> contributors to build a neutral and fully standard-based proxy
>>> solution to provide a great experience for application developers, by
>>> having a separate governance structure detached from the Keycloak org.
>>>
>>> Part of the Keycloak team will be working full time on it in
>>> collaboration with companies and external contributors. Before moving
>>> forward with any plans, we would like to hear your thoughts on this.
>>>
>>> Note: I'm sending this email to each contributor that dedicated some
>>> time to Gatekeeper.
>>>
>>> --
>>> - abstractj
>
> --
> You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/20f10a89-d0af-4974-a644-0e1c14bd1700%40googlegroups.com.
--
- abstractj
On Tue, Apr 7, 2020 at 10:49 AM Joel Speed <jsp...@redhat.com> wrote:
>
> Hi All,
>
> Wanted to chime in here as the lead maintainer and representative of the oauth2-proxy[1] project.
>
> I was approached by the Keycloak team late 2019 to broach the idea of a potential collaboration.
> OAuth2-Proxy and Keycloak Gatekeeper ultimately occupy the same space within the ecosystem, though the projects historically have been rather different.
>
> While Keycloak Gatekeeper has had backing from Red Hat, the OAuth2 Proxy was originally abandoned by Bitly, then adopted into Pusher for a bit, and is now independent and maintained by myself and couple of others when they have the time.
> This means the two teams have very different experiences when it comes to the shapes of the projects, the resources available and the needs of the users of the projects.
>
> For me, this collaboration gives many new opportunities for both sides:
> - Experiences from both organisations will help to build a better product, and ideally, users of both projects can unite on this new project when it is ready
> - By moving to a new organisation, it is clear that this is an effort driven by a community and not a single company as it has been for both projects historically
> - Combining teams deduplicates the work that we would otherwise be doing individually and spreads the load across more maintainers
>
> While there is still a lot to be decided about how the project is going to move forward, I am personally really excited about this and dedicating as much time as I can to make sure we progress with this at a reasonable pace.
>
> As for governance and authority on keeping the project based on standards, I think this is something that is still to be discussed, @Bruno do you have any thoughts on that?
on all the opportunities we have with this effort. We are joining
forces to build a healthier and better project, by benefiting from the
experience of both organizations and communities.
>
> Happy to field any questions on the topic from my perspective if that's useful,
>
> --
>
> Joel
>
> [1]: https://github.com/oauth2-proxy/oauth2-proxy/
>
>
> On Monday, April 6, 2020 at 7:09:40 PM UTC+1, Jan Garaj wrote:
>>
>> Who will be in that new separate governance structure?
>> Keycloak org is authority with pretty solid authentication/authorization
>> knowledge and I would like to be sure, that there still be authority,
>> which will reject any out of standard pull requests.
>>
>> On Monday, April 6, 2020 at 7:14:45 PM UTC+2, Bruno Oliveira wrote:
>>>
>>> Good afternoon,
>>>
>>> We're evaluating the possibility of moving Gatekeeper out of Keycloak
>>> organization, to a dedicated organization. The motivation behind this
>>> is to join the efforts with other companies and individual
>>> contributors to build a neutral and fully standard-based proxy
>>> solution to provide a great experience for application developers, by
>>> having a separate governance structure detached from the Keycloak org.
>>>
>>> Part of the Keycloak team will be working full time on it in
>>> collaboration with companies and external contributors. Before moving
>>> forward with any plans, we would like to hear your thoughts on this.
>>>
>>> Note: I'm sending this email to each contributor that dedicated some
>>> time to Gatekeeper.
>>>
>>> --
>>> - abstractj
>
> You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/20f10a89-d0af-4974-a644-0e1c14bd1700%40googlegroups.com.
--
- abstractj
Bruno Oliveira
Apr 7, 2020, 10:21:28 AM4/7/20
to Fox, Kevin M, keyclo...@googlegroups.com
Hi Kevin,
Having a separate organization is part of our plans to submit to CNCF
in the future, but not at the moment. We still have a long road ahead.
On Mon, Apr 6, 2020 at 2:21 PM Fox, Kevin M <Kevi...@pnnl.gov> wrote:
>
> In general that sounds really good. Its a bit unclear how that plays with the new run for joining the CNCF (also good). Would the new org also be submitting Gatekeeper to the CNCF?
>
> Thanks,
> Kevin
>
> ________________________________________
> From: keyclo...@googlegroups.com <keyclo...@googlegroups.com> on behalf of Bruno Oliveira <br...@abstractj.org>
> Sent: Monday, April 6, 2020 10:14 AM
> To: keyclo...@googlegroups.com
> Subject: [keycloak-dev] Feedback about new org for Gatekeeper
--
- abstractj
Having a separate organization is part of our plans to submit to CNCF
in the future, but not at the moment. We still have a long road ahead.
On Mon, Apr 6, 2020 at 2:21 PM Fox, Kevin M <Kevi...@pnnl.gov> wrote:
>
> In general that sounds really good. Its a bit unclear how that plays with the new run for joining the CNCF (also good). Would the new org also be submitting Gatekeeper to the CNCF?
>
> Thanks,
> Kevin
>
> ________________________________________
> From: keyclo...@googlegroups.com <keyclo...@googlegroups.com> on behalf of Bruno Oliveira <br...@abstractj.org>
> Sent: Monday, April 6, 2020 10:14 AM
> To: keyclo...@googlegroups.com
> Subject: [keycloak-dev] Feedback about new org for Gatekeeper
> --
> You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
> To view this discussion on the web visit https://protect2.fireeye.com/v1/url?k=d2c7c250-8e72fde9-d2c7e845-0cc47adc5fce-e806f8eb106bded6&q=1&e=65652ad8-0c0b-4634-b9d2-687e72f83770&u=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fkeycloak-dev%2FCAM5SUC6Oh_CR1gHBzsogUC%252BKcGtUWUV6dH1iKchNjVGtFPfkXQ%2540mail.gmail.com.
> You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
--
- abstractj
Bruno Oliveira
Apr 7, 2020, 10:26:53 AM4/7/20
to Jan Garaj, Keycloak Dev
Hi Jan,
As mentioned by Joel, the oauth2-proxy organization will join forces
with the Keycloak team, using Gatekeeper as a starting point by
following all the standards as we already do today. But we count on
the OSS community to help us shape the future of the new project.
This is not only for organizations willing to maintain it but also for
individual contributors who would like to actively participate.
--
- abstractj
As mentioned by Joel, the oauth2-proxy organization will join forces
with the Keycloak team, using Gatekeeper as a starting point by
following all the standards as we already do today. But we count on
the OSS community to help us shape the future of the new project.
This is not only for organizations willing to maintain it but also for
individual contributors who would like to actively participate.
> --
> You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/059b131b-3f68-4cee-9e61-de62ad7a9699%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
--
- abstractj
Bruno Oliveira
Apr 7, 2020, 10:29:39 AM4/7/20
to leosc...@gmail.com, keyclo...@googlegroups.com
That’s for your feedback. We believe that by moving the project under
a new umbrella brings more independence than just rebranding and
allows us to define a governance model with other companies and
individual contributors.
On Mon, Apr 6, 2020 at 4:32 PM Leopold Schabel <leosc...@gmail.com> wrote:
>
> Hi Bruno,
>
> sounds reasonable - I actually use Gatekeeper with GSuite these days since it's much more powerful than oauth2_proxy. But I only know about it since I used to work with KeyCloak.
>
> Maybe it doesn't even have to be a separate organization? Just rebrand it to "keycloak/gatekeeper" and emphasize that it's a general purpose tool.
>
> Best
> Leopold
--
- abstractj
a new umbrella brings more independence than just rebranding and
allows us to define a governance model with other companies and
individual contributors.
On Mon, Apr 6, 2020 at 4:32 PM Leopold Schabel <leosc...@gmail.com> wrote:
>
> Hi Bruno,
>
> sounds reasonable - I actually use Gatekeeper with GSuite these days since it's much more powerful than oauth2_proxy. But I only know about it since I used to work with KeyCloak.
>
> Maybe it doesn't even have to be a separate organization? Just rebrand it to "keycloak/gatekeeper" and emphasize that it's a general purpose tool.
>
> Best
> Leopold
- abstractj
Bruno Oliveira
Apr 7, 2020, 10:30:30 AM4/7/20
to Vadim Bauer, keyclo...@googlegroups.com
Thanks for your input Vadim. You are more than welcome to join us.
On Mon, Apr 6, 2020 at 5:35 PM Vadim Bauer <bauer...@gmail.com> wrote:
>
> very good idea. We did some modification in the past to make Gatekeeper work with auth0.
> Could contribute that to the project, if needed. Need to check with auth0 guys first.
>
> Cheers,
> Vadim
--
- abstractj
On Mon, Apr 6, 2020 at 5:35 PM Vadim Bauer <bauer...@gmail.com> wrote:
>
> very good idea. We did some modification in the past to make Gatekeeper work with auth0.
> Could contribute that to the project, if needed. Need to check with auth0 guys first.
>
> Cheers,
> Vadim
- abstractj
Bruno Oliveira
Apr 7, 2020, 10:32:37 AM4/7/20
to Frédéric Bidon, keyclo...@googlegroups.com
Hey, I hope you're doing well.
Thanks for your input, that helps!
On Tue, Apr 7, 2020 at 7:09 AM Frédéric Bidon <fred...@oneconcern.com> wrote:
>
> Hello Bruno, long time no see, huh?
>
> Yes, this is a good idea. Gatekeeper is in fact rather loosely coupled to keycloak.
>
> Cheers,
>
> Frederic
--
- abstractj
Thanks for your input, that helps!
On Tue, Apr 7, 2020 at 7:09 AM Frédéric Bidon <fred...@oneconcern.com> wrote:
>
> Hello Bruno, long time no see, huh?
>
> Yes, this is a good idea. Gatekeeper is in fact rather loosely coupled to keycloak.
>
> Cheers,
>
> Frederic
- abstractj
Jan Garaj
Apr 7, 2020, 1:32:06 PM4/7/20
to Keycloak Dev
Thanks for the info. It looks like a good idea +1.
> To unsubscribe from this group and stop receiving emails from it, send an email to keyclo...@googlegroups.com.
Message has been deleted
Jonathon Barrow
May 19, 2020, 11:22:34 PM5/19/20
to Keycloak Dev
Unfortunately due to recent changes tho Keycloak in 10.0.0, Gatekeeper
no longer works. It doesn't use valid scopes, and I can't use the "new"
docker image here, as I don't have permission to access the repo.
Currently, this has killed access to 6 services I run.
Currently, this has killed access to 6 services I run.
Stian Thorgersen
May 20, 2020, 3:23:12 AM5/20/20
to Jonathon Barrow, Keycloak Dev
What invalid scopes are being requested?
If there are important/breaking changes in Gatekeeper we do plan to make updated releases until Louketo is ready. Alternatively, we can also consider a workaround in Keycloak for this - basically a switch to allow unknown scopes for specific clients.
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/fce5000b-1930-4f78-8051-51e35b02d3bb%40googlegroups.com.
Jonathon Barrow
May 20, 2020, 3:27:16 AM5/20/20
to Keycloak Dev
Looks like that would be `user`. The listed scopes are `scope=user+openid+email+profile`. User is not a valid scope on Keycloak though.
To unsubscribe from this group and stop receiving emails from it, send an email to keyclo...@googlegroups.com.
Stian Thorgersen
May 20, 2020, 3:32:41 AM5/20/20
to Jonathon Barrow, Keycloak Dev
Strange. Got no clue why it would request a "user" scope as that's not a standard scope.
So seems fix for this should go into Gatekeeper. Can you open a bug then we'll see what we can do?
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/4e8daaed-d252-4c4f-832d-1d8229478c3b%40googlegroups.com.
Jonathon Barrow
May 20, 2020, 5:03:42 AM5/20/20
to Keycloak Dev
Sorry for the delay, ducked off for dinner.
I've created an issue on the tracker over here: https://issues.redhat.com/browse/KEYCLOAK-14250
I've created an issue on the tracker over here: https://issues.redhat.com/browse/KEYCLOAK-14250
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/4e8daaed-d252-4c4f-832d-1d8229478c3b%40googlegroups.com.
Stian Thorgersen
May 20, 2020, 5:22:11 AM5/20/20
to Jonathon Barrow, Keycloak Dev
Thanks, we will see if we can get a 10.0.2 release out soon that includes a fix for this in Gatekeeper.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/55c0c336-47c8-4680-a8db-8dff1645d934%40googlegroups.com.
Bruno Oliveira
May 20, 2020, 5:49:11 AM5/20/20
to Jonathon Barrow, Keycloak Dev
Hi Jonathon, as far as I know we do not have any defaults to user into
the codebase, we provide the option for people to pass scope as
argument through the option "scopes". Into the code we have:
Scope: append(r.config.Scopes, oidc.DefaultScope...),
oidc.DefaultScope contains: "openid", "email", "profile"
Could you please attach your YAML file to the Jira?
> To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/55c0c336-47c8-4680-a8db-8dff1645d934%40googlegroups.com.
--
- abstractj
the codebase, we provide the option for people to pass scope as
argument through the option "scopes". Into the code we have:
Scope: append(r.config.Scopes, oidc.DefaultScope...),
oidc.DefaultScope contains: "openid", "email", "profile"
Could you please attach your YAML file to the Jira?
> To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/55c0c336-47c8-4680-a8db-8dff1645d934%40googlegroups.com.
--
- abstractj
Jonathon Barrow
May 20, 2020, 6:21:24 AM5/20/20
to Keycloak Dev
<.<
So, umm... It was added in there. Was probably from when I tried to follow a tutorial when I first set it up.
Thank you for pointing me in the right direction. Now all that's left is figuring out why the login flow doesn't work. That is not for here though.
So, umm... It was added in there. Was probably from when I tried to follow a tutorial when I first set it up.
Thank you for pointing me in the right direction. Now all that's left is figuring out why the login flow doesn't work. That is not for here though.
> To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/55c0c336-47c8-4680-a8db-8dff1645d934%40googlegroups.com.
--
- abstractj
Reply all
Reply to author
Forward
0 new messages