[keycloak-dev] Client Self-Registration and Administration Plugin

Stian Thorgersen sthorger at redhat.com
Wed Jun 8 00:40:43 EDT 2016 

On 7 June 2016 at 15:32, Erik Berdonces Bonelo <
e.berdoncesbonelo at campus.tu-berlin.de> wrote:

> Hi,
>
> Thanks for the fast answer. I totally understand the permissions issue,
> and well, the reason to send the previous mail was just to avoid this kind
> of problems.
>
> Regarding to your suggestion on how to implement the self-registration, I
> understand (after reading the documentation again) how to use the Realm
> Resource SPI  together with user attributes or either use the Client
> Registration Service.
>
> However, as I see, there is no way to integrate it with the existing UI
> that Keycloak has,doesn’t it? I’ve only been able to find that there are
> ways to extend the ServerInfo page with some information, (example found in
> chapter 4.1.1 in the documentation). Is there anything similar to a
> FormAction as described in 34.5.1 in the documentation to integrate this
> extension with Keycloak’s UI, or I should create my own UI to create the
> interface for this custom endpoints?
>

You can extend the admin console by adding a custom admin theme. It's not
to elegant and requires some effort when upgrading to new versions, but
it's possible. It may be simpler to create your own UI. If you create the
UI as a HTML5 you can add the html files, javascript, etc. to a custom
admin theme and all you'd have to do is to have a realm resource provide
the landing page and then point to resource like our admin console does
(which is then loaded from the theme).


>
> I’m sorry if this questions may be a bit basic, but even with the
> documentation, as it is so extensive, I get sometimes a bit lost on what
> tools I have available to implement with in this platform.
>

A lot of the SPIs and customization parts are not polished or documented
well so not to worry ;)


>
>> Best Regards,
>
> Erik Berdonces Bonelo
>
> On 6 June 2016 at 19:36:07, Stian Thorgersen (sthorger at redhat.com) wrote:
>
> Hi,
>
> We are planing to add more fine-grained permissions on admin endpoints in
> the future, but it will be a while until we get to it. I'm not very keen on
> accepting something like this now as we are planning to do fairly big
> changes around this in the future. You're also the first person to ask
> about having clients specific to user, other people have so far requested
> groups of clients that groups of users can manage.
>
> I'd recommend using the Realm Resource SPI to create custom endpoints to
> accomplish this. You can use an attribute on the clients to store the user
> that has created the client and only allow that user to modify it in the
> future. You can also consider using the client registration service. The
> client registration service allows anyone with a create-role or an initial
> access token to create clients. When a client is created it returns a
> registration access token that gives permission to modify/delete that
> particular client in the future.
>
> On 6 June 2016 at 14:39, Erik Berdonces Bonelo <
> e.berdoncesbonelo at campus.tu-berlin.de> wrote:
>
>>
>>
>> Hello,
>>
>> I’m working at the moment in a Master Thesis project in TU Berlin where
>> we are using Keycloak for Authentication and Authorisation purposes.
>> We are planning on extending Keycloak in order to provide users a way to
>> register clients/applications by themselves into the platform, while having
>> an admin overseeing the system.
>>
>> This would mean that as a user, if I have the proper rights I should be
>> able to create and manage my own clients. With, this it comes the idea of
>> ownership, as this would mean that a client ownership could be transferred
>> to someone else.
>> Also, the admin should be able to accept, revoke and delete the clients
>> and requests to create clients in my Keycloak.
>>
>> At the moment the only option would be giving the permission to create
>> clients to the user, but that would allow to change ANY of the possible
>> clients.
>>
>> Then, I have two questions:
>>   1. Would it make sense to integrate this to the Keycloak core?
>>   2. If it doesn’t make sense to merge it in the core, is there any
>> plugin system to extend Keycloak’s core? I’ve seen a discussion related to
>> a plugin system in GitHub but there is no outcome yet. We would rather like
>> to integrate it with Keycloak itself, otherwise the other option would be
>> creating a client that uses Keycloak’s REST API to manage the clients
>> remotely.
>>
>> Thanks a lot in advance!
>>
>>>>  Best Regards,
>>  Erik Berdonces Bonelo
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160608/866f27e9/attachment-0001.html

More information about the keycloak-dev mailing list