[keycloak-dev] Feedback on Oauth Clients
mposolda at redhat.com
Mon Oct 7 08:57:08 EDT 2013
On 7.10.2013 13:01, Stian Thorgersen wrote:
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Thursday, 3 October, 2013 2:59:15 PM
>> Subject: [keycloak-dev] Feedback on Oauth Clients
>> I need some feedback on how to handle OAuth Clients. OAuth clients are
>> like Applications in that Keycloak is used to log in, but OAuth clients
>> are required to be forwarded through the OAuth Grant Page. Users must
>> directly grant permission to the OAuth client to access stuff. OAuth
>> clients will also not be hooked into Single Logout or the session
>> management facilities I hope to incorporate into Keycloak. OAuth
>> clients will also not have roles associated with them.
>> The way google does it is that they require you to login using your
>> Google account, then you create applications within their cloud service
>> app. Applications get their own unique client-id and password and you
>> then assign permissions to this application.
>> I was thinking we should do something similar for Keycloak.
>> For our first release, we'll have a specific Admin UI in which you can
>> create OAuth clients in much the same way you create applications.
>> For phase 2, I was thinking that the user account management would be
>> expanded to have an option (if allowed by the realm) for creating and
>> registering an OAuth client. The user would then have a client-id
>> generated for them and they would have to set up credentials for this
> I think this should be part of the admin console, not the account management. A realm should have an option to enable "user-defined applications" or whatever you'd call them. I also think that users should have a roles associated with them to be allowed to login to the admin console + to create applications.
> When a realm user logs in to the admin console he should be able to create applications under the realm, but not to change any realm configurations, nor create new realms, etc.. Applications created by such users should be "OAuth Client", not "Keycloak Applications", so the grant page would pop-up on login.
> In fact a realm user should be able to login to the admin console and perform any operation the user has been given access to do?
I wonder if it makes sense to create some flexible authorization support
to cover all needs? We can have something like realm actions (create
realm role, create application, create oauth client, create application
role...) and specify which role has permission to perform which actions?
This will allow to have more fine-grained authorization, which will
allow to specify for example that users with role X can create new
applications, but not create new roles, assign users to realm roles,
update realm configuration etc. On the other hand users with role Y can
create new roles or assign users to realm roles. Users with role Z
doesn't have permission to access realm configuration or applications in
Admin UI at all etc. The authorization administration itself would be
quite important, so just realm administrator will initially have
possibility to change authorization settings and assign
actions/permissions to roles.
Again, I am not sure if this is big priority for M1, but I think that in
the end flexible authorization would be required by Keycloak users.
>> Bill Burke
>> JBoss, a division of Red Hat
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
More information about the keycloak-dev