[keycloak-dev] Realms and applications

Bill Burke bburke at redhat.com
Tue Jul 30 12:58:34 EDT 2013 

I'm not sure yet if there will be a one-to-many for realm->applications. 
  But, An application needs to be aware of the realms it is interacting 
with for a variety of reasons.

The whole OAuth 2 protocol[1] requires knowledge of the realm it is 
logging into:

* It needs to be registered with the realm and have a client_id and set 
of credentials
* It needs to know which realm to make an authenticated request to so it 
can turn an access code into an access token. (This happens after 
Keycloak redirects the browser back to the application)
* For bearer token authentication, it needs to know the public key of 
the realm the token comes from so it can verify the signed token.
* For single sign off, Keycloak sends a signed request to the admin URL 
of the Application.  The application needs to know the public key of the 
realm sending the request so it can verify the signed request.  It also 
needs a way to match the request user to an Http Session so it can 
invalidate that session.

Obtaining user profile information is sensitive.  In many cases, we have 
to know that the user authorized this behavior.  In others, the realm 
admin will have to assign permission (one or more roles) to an 
application to be able to request this information.

IMO, for the 1st few iterations, there should only be a one-to-one 
mapping between Realm and application.  I'm not sure how useful 
one-to-many would be anyways.

[1] http://tools.ietf.org/html/rfc6749



On 7/30/2013 11:54 AM, Stian Thorgersen wrote:
> Is the relationship between a realm and applications one-to-many? If so I assume it would be possible to change the realm an application uses?
>
> Also I was wondering if it's necessary that an application has to know what realm to use to login users. According to https://github.com/keycloak/keycloak/wiki/Login-Algorithm the application should redirect to:
>
> https://keycloak.org/realms/demo/tokens/login?state=...&redirect_uri=...&client_id=...
>
> Would it not be better if it didn't have to know about the realm? So login would be something like:
>
> https://keycloak.org/oauth2/?state=...&redirect_uri=...&client_id=...
>
> Same applies when an application wants to access lists of users, or the user profile for a specific user, etc.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list