[keycloak-user] Sharing users
Nils Preusker
n.preusker at gmail.com
Tue Apr 15 11:04:48 EDT 2014
Hi Bill,
thanks, I wasn't fully aware of the AccountService. However, we'll need to
implement a user management page within our application that gives access
to all users and role mappings within the realm. So I suppose I would
either have to access the admin console back-end via REST with a
keycloak-admin-realm user or use the JPA entities from keycloak-model-jpa
directly.
I would assume that this is a pretty standard use case though. After all,
the only alternative would be exposing the admin console to end users. Or
am I missing something?
Cheers,
Nils
On Tue, Apr 15, 2014 at 4:45 PM, Bill Burke <bburke at redhat.com> wrote:
> User information can be obtained from the IDToken within
> KeycloakSecurityContext. You can setup what information is in the
> IDToken via the claims page in each application/oauth client.
>
> For other user requests (like changing passwords), use the Account
> Service. Every authenticated user has permission to access this REST
> API by default.
>
> On 4/15/2014 10:41 AM, Nils Preusker wrote:
> > By management REST API you mean the API the admin console uses?
> >
> > Just to make sure I understand your suggestion correctly:
> >
> > * I would use the management REST API (same API the admin console uses)
> > from my backend application
> > * my backend application would need a user ("application user") within
> > the keycloak-admin realm
> > * when accessing the management REST API, I would add an "Authorization:
> > Bearer ..." header with the token I can obtain from
> > .../auth/rest/realms/MY-REALM/tokens/grants/access
> >
> > Cheers,
> > Nils
> >
> >
> >
> > On Tue, Apr 15, 2014 at 3:10 PM, Bill Burke <bburke at redhat.com
> > <mailto:bburke at redhat.com>> wrote:
> >
> > IMO, you should not use the model directly in your applications. The
> > management REST API gives you full access to security metadata. Use
> > that. Plus, in the very near future (after beta-1 release) we'll be
> > implementing a cache and if you are modifying data directly, there
> will
> > be possibilities of this cache using stale data.
> >
> > On 4/15/2014 4:30 AM, Stian Thorgersen wrote:
> > > At some point we'll add a Java and REST api's for user
> > management. This will also include being able to register listeners
> > for user events (for example user created, user deleted, etc).
> > >
> > > In the mean time I don't see any issues with using
> > keycloak-model-jpa directly, especially not for read only. This API
> > will quite likely change between versions, and we won't support any
> > backwards compatibility. The "official" user management API once
> > it's ready will be more stable, but I'm not sure when we'll have
> > time to implement that.
> > >
> > > ----- Original Message -----
> > >> From: "Nils Preusker" <n.preusker at gmail.com
> > <mailto:n.preusker at gmail.com>>
> > >> To: keycloak-user at lists.jboss.org
> > <mailto:keycloak-user at lists.jboss.org>
> > >> Sent: Tuesday, 15 April, 2014 9:22:44 AM
> > >> Subject: [keycloak-user] Sharing users
> > >>
> > >> Hi, I have a question regarding user management and sharing
> > access to the
> > >> keycloak database between applications.
> > >>
> > >> While the keycloak admin console can be used to manage users,
> other
> > >> applications may also need to access the user database. Is there
> a
> > >> recommended way of accomplishing this?
> > >>
> > >> I've been experimenting with adding keycloak-model-jpa to my
> > .war as a
> > >> dependency and looking at the bootstrapping in
> > >> org.keycloak.services.resources.KeycloakApplication. However, I
> > wasn't able
> > >> to get it to work yet and have the feeling that I might be going
> > the wrong
> > >> way here.
> > >>
> > >> Any hints?
> > >>
> > >> Cheers,
> > >> Nils
> > >>
> > >> _______________________________________________
> > >> keycloak-user mailing list
> > >> keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.jboss.org>
> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.jboss.org>
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140415/388f09d7/attachment-0001.html
More information about the keycloak-user
mailing list