<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">(the mail got sent by mistake without finishing)</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">Then, it I’d try to filter the users using this parameter (somehow like a dynamic scope, but depending on a parameter, rather than the role). I was thinking on adding a custom validation flow and use there a Script Based Authentication to check if a user can go through or not.</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">Do you think this is feasible? As I’m not sure (and that part is not so well documented) if it’s possible to access the client attributes from the Authentication Script.</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">Thanks a lot and sorry for the split message!</div> <br> <div id="bloop_sign_1475063540082999040" class="bloop_sign"><div style="font-family:helvetica,arial;font-size:13px">— </div><div style="font-family:helvetica,arial;font-size:13px">Best Regards, </div><div style="font-family:helvetica,arial;font-size:13px"><br>Erik Berdonces Bonelo<br></div></div> <br><p class="airmail_on">On 28 September 2016 at 13:52:42, Erik Berdonces Bonelo (<a href="mailto:e.berdoncesbonelo@campus.tu-berlin.de">e.berdoncesbonelo@campus.tu-berlin.de</a>) wrote:</p> <blockquote type="cite" class="clean_bq"><span><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div></div><div>
<title></title>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
Hi Stian,</div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
<br></div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
Sorry for coming back so late, opening again this thread. I’m
focusing now in the implementation in Keycloak, and I really
appreciate the updated documents in v2.2.1. They really help a
lot.</div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
<br></div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
Just one question: how is it possible to add a custom attribute to
a client? It’s well documented how to do so with a User, but it’s
not clear how to do it with a client. The idea is to add a
customisable attribute, that you can send through the Client
Registration API as a parameter and keep it in the client.</div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
<br></div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
<br></div>
<br>
<div id="bloop_sign_1475062954827683840" class="bloop_sign">
<div style="font-family:helvetica,arial;font-size:13px">
— </div>
<div style="font-family:helvetica,arial;font-size:13px">
BestRegards, </div>
<div style="font-family:helvetica,arial;font-size:13px"><br>
Erik Berdonces Bonelo<br></div>
</div>
<br>
<p class="airmail_on">On 8 June 2016 at 06:40:47, Stian Thorgersen
(<a href="mailto:sthorger@redhat.com">sthorger@redhat.com</a>)
wrote:</p>
<blockquote type="cite" class="clean_bq">
<div>
<div>
<div dir="ltr"><span><br></span>
<div class="gmail_extra"><span><br></span>
<div class="gmail_quote"><span>On 7 June 2016 at 15:32, Erik
Berdonces Bonelo <span dir="ltr"><<a href="mailto:e.berdoncesbonelo@campus.tu-berlin.de" target="_blank">e.berdoncesbonelo@campus.tu-berlin.de</a>></span>
wrote:<br></span>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
Hi,</div>
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<br></div>
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
Thanks for the fast answer. I totally understand the permissions
issue, and well, the reason to send the previous mail was just to
avoid this kind of problems.</div>
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<br></div>
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
Regarding to your suggestion on how to implement the
self-registration, I understand (after reading the documentation
again) how to use the Realm Resource SPI together with user
attributes or either use the Client Registration Service.</div>
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<br></div>
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
However, as I see, there is no way to integrate it with the
existing UI that Keycloak has,doesn’t it? I’ve only been able to
find that there are ways to extend the ServerInfo page with some
information, (example found in chapter 4.1.1 in the documentation).
Is there anything similar to a FormAction as described in 34.5.1 in
the documentation to integrate this extension with Keycloak’s UI,
or I should create my own UI to create the interface for this
custom endpoints?</div>
</div>
</blockquote>
<div><br></div>
<div>You can extend the admin console by adding a custom admin
theme. It's not to elegant and requires some effort when upgrading
to new versions, but it's possible. It may be simpler to create
your own UI. If you create the UI as a HTML5 you can add the html
files, javascript, etc. to a custom admin theme and all you'd have
to do is to have a realm resource provide the landing page and then
point to resource like our admin console does (which is then loaded
from the theme). </div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
<br></div>
<div style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">
I’m sorry if this questions may be a bit basic, but even with the
documentation, as it is so extensive, I get sometimes a bit lost on
what tools I have available to implement with in this
platform.</div>
</div>
</blockquote>
<div><br></div>
<div>A lot of the SPIs and customization parts are not polished or
documented well so not to worry ;)</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word"><span class=""><br></span>
<div>
<div style="font-family:helvetica,arial;font-size:13px">
<span class="">— </span></div>
<div style="font-family:helvetica,arial;font-size:13px">
<span class="">Best Regards, </span></div>
<div style="font-family:helvetica,arial;font-size:13px">
<span class=""><br>
Erik Berdonces Bonelo<br></span></div>
</div>
<span class=""><br></span>
<div>
<div class="h5">
<p>On 6 June 2016 at 19:36:07, Stian Thorgersen (<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>) wrote:</p>
<blockquote type="cite">
<div>
<div>
<div dir="ltr"><span>Hi,</span>
<div><span><br></span></div>
<div><span>We are planing to add more fine-grained permissions on
admin endpoints in the future, but it will be a while until we get
to it. I'm not very keen on accepting something like this now as we
are planning to do fairly big changes around this in the future.
You're also the first person to ask about having clients specific
to user, other people have so far requested groups of clients that
groups of users can manage.</span></div>
<div><span><br></span></div>
<div><span>I'd recommend using the Realm Resource SPI to create
custom endpoints to accomplish this. You can use an attribute on
the clients to store the user that has created the client and only
allow that user to modify it in the future. You can also consider
using the client registration service. The client registration
service allows anyone with a create-role or an initial access token
to create clients. When a client is created it returns a
registration access token that gives permission to modify/delete
that particular client in the future.</span></div>
</div>
<div class="gmail_extra"><span><br></span>
<div class="gmail_quote"><span>On 6 June 2016 at 14:39, Erik
Berdonces Bonelo <span dir="ltr"><<a href="mailto:e.berdoncesbonelo@campus.tu-berlin.de" target="_blank">e.berdoncesbonelo@campus.tu-berlin.de</a>></span>
wrote:<br></span>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<br>
Hello,<br>
<br>
I’m working at the moment in a Master Thesis project in TU Berlin
where we are using Keycloak for Authentication and Authorisation
purposes.<br>
We are planning on extending Keycloak in order to provide users a
way to register clients/applications by themselves into the
platform, while having an admin overseeing the system.<br>
<br>
This would mean that as a user, if I have the proper rights I
should be able to create and manage my own clients. With, this it
comes the idea of ownership, as this would mean that a client
ownership could be transferred to someone else.<br>
Also, the admin should be able to accept, revoke and delete the
clients and requests to create clients in my Keycloak.<br>
<br>
At the moment the only option would be giving the permission to
create clients to the user, but that would allow to change ANY of
the possible clients.<br>
<br>
Then, I have two questions:<br>
1. Would it make sense to integrate this to the Keycloak
core?<br>
2. If it doesn’t make sense to merge it in the core, is
there any plugin system to extend Keycloak’s core? I’ve seen a
discussion related to a plugin system in GitHub but there is no
outcome yet. We would rather like to integrate it with Keycloak
itself, otherwise the other option would be creating a client that
uses Keycloak’s REST API to manage the clients remotely.<br>
<br>
Thanks a lot in advance! <br>
<br>
— <br>
Best Regards,<br>
Erik Berdonces Bonelo<br>
<br>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></blockquote>
</div>
<br></div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br></div>
</div>
</div>
</div>
</blockquote>
</div></div></span></blockquote></body></html>