In the use cases that handle sensitive data in large scale business and expose keycloak's endpoints publicly (e.g., Authorization Endpoint, Token Endpoint), the customers of such use cases require to grasp which response (including error response) is returned from each endpoint in which situation in detail in advance.

To do so, we need to investigate keycloak source codes. Whenever updating keycloak, we need to do so again.

Regardless of its business scale, API specification-based client application development is in common. It is easy for client application developers to develop and test their own application if they can use an Authz server's endpoint specification in OpenAPI. With endpoint specification, such development and testing can be integrated into CI/CD pipeline run automatically.

Considering these points above, I think it is worthwhile to document such endpoint specification in open standard like OpenAPI.

In addition to your comment, even for Admin API could be beneficial have this documented as well to be able to use without doing this type of investigation (at Keycloak codebase).

@jairsjunior I've opened this discussion. #8898

I'm still not 100% convinced to be honest, as we haven't had anyone ask about this as far as I remember. So, worried it's a lot of effort to add, and maintain, for very few people to use it.

I could definitively be convinced if we could generate the OpenAPI spec in a nice and clean way from annotated sources rather than manually crafting it (like what we did as a temporary solution for the Account APIs). If that same approach is then extendable to all endpoints even better.

I see, I've recognized that a lot of effort might be needed to maintain the documentation in OpenAPI spec.
I would like to study the way of automation for this work as you've pointed out.

I agree with your small start plan that work on Account REST API at first.

IMO, we have two options, OpenAPI spec driven as you've suggested and code driven as I've suggested.
Regardless of them, we need to avoid additional maintenance costs as possible and need to keep synchronizing Open API spec and REST API codes.

For OpenAPI spec, I expect that this option can generate REST API codes from OpenAPI spec automatically.
I'm not sure how to do it in detail, but I'm afraid that automatically generated REST API codes need to be merged onto keycloak's code base manually.
Could you know how to generate REST API codes from OpenAPI spec automatically and synchronizing keycloak's code base?

The openapi-generator-maven-plugin could do the work. To synchronize with the Keycloak codebase, probably we need to automate this with GH actions. I believe we need a PoC to see if those things will work in practice.

I see, is it better to wait for other contributor's opinion about whether this work would be started officially for several weeks?

Yes, We'll wait for them coming back next year.

Any news on it? I'm checking the maven plugin that was shared at the previous messages to do a PoC.

@stianst You've suggested code to OpenAPI spec approach while here OpenAPI spec to code approach is proposed. WDYT?
IMO, it might be good to do PoC for OpenAPI spec to code approach for Account API.

Hi @mostafa. Thanks for the help.

I have a guess that it is not there because of how we are exposing the Organization API in the Admin API. The API is exposed via RealmAdminResourceSpi and we do have the endpoints annotated. For some reason they are not being processed when generating the docs.

Created #30832