[keycloak-user] Sharing users
Bill Burke
bburke at redhat.com
Tue Apr 15 10:45:26 EDT 2014
User information can be obtained from the IDToken within
KeycloakSecurityContext. You can setup what information is in the
IDToken via the claims page in each application/oauth client.
For other user requests (like changing passwords), use the Account
Service. Every authenticated user has permission to access this REST
API by default.
On 4/15/2014 10:41 AM, Nils Preusker wrote:
> By management REST API you mean the API the admin console uses?
>
> Just to make sure I understand your suggestion correctly:
>
> * I would use the management REST API (same API the admin console uses)
> from my backend application
> * my backend application would need a user ("application user") within
> the keycloak-admin realm
> * when accessing the management REST API, I would add an "Authorization:
> Bearer ..." header with the token I can obtain from
> .../auth/rest/realms/MY-REALM/tokens/grants/access
>
> Cheers,
> Nils
>
>
>
> On Tue, Apr 15, 2014 at 3:10 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
> IMO, you should not use the model directly in your applications. The
> management REST API gives you full access to security metadata. Use
> that. Plus, in the very near future (after beta-1 release) we'll be
> implementing a cache and if you are modifying data directly, there will
> be possibilities of this cache using stale data.
>
> On 4/15/2014 4:30 AM, Stian Thorgersen wrote:
> > At some point we'll add a Java and REST api's for user
> management. This will also include being able to register listeners
> for user events (for example user created, user deleted, etc).
> >
> > In the mean time I don't see any issues with using
> keycloak-model-jpa directly, especially not for read only. This API
> will quite likely change between versions, and we won't support any
> backwards compatibility. The "official" user management API once
> it's ready will be more stable, but I'm not sure when we'll have
> time to implement that.
> >
> > ----- Original Message -----
> >> From: "Nils Preusker" <n.preusker at gmail.com
> <mailto:n.preusker at gmail.com>>
> >> To: keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> >> Sent: Tuesday, 15 April, 2014 9:22:44 AM
> >> Subject: [keycloak-user] Sharing users
> >>
> >> Hi, I have a question regarding user management and sharing
> access to the
> >> keycloak database between applications.
> >>
> >> While the keycloak admin console can be used to manage users, other
> >> applications may also need to access the user database. Is there a
> >> recommended way of accomplishing this?
> >>
> >> I've been experimenting with adding keycloak-model-jpa to my
> .war as a
> >> dependency and looking at the bootstrapping in
> >> org.keycloak.services.resources.KeycloakApplication. However, I
> wasn't able
> >> to get it to work yet and have the feeling that I might be going
> the wrong
> >> way here.
> >>
> >> Any hints?
> >>
> >> Cheers,
> >> Nils
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list