[keycloak-user] Sharing users

Nils Preusker n.preusker at gmail.com
Tue Apr 15 11:04:48 EDT 2014 

Hi Bill,

thanks, I wasn't fully aware of the AccountService. However, we'll need to
implement a user management page within our application that gives access
to all users and role mappings within the realm. So I suppose I would
either have to access the admin console back-end via REST with a
keycloak-admin-realm user or use the JPA entities from keycloak-model-jpa
directly.

I would assume that this is a pretty standard use case though. After all,
the only alternative would be exposing the admin console to end users. Or
am I missing something?

Cheers,
Nils



On Tue, Apr 15, 2014 at 4:45 PM, Bill Burke <bburke at redhat.com> wrote:

> User information can be obtained from the IDToken within
> KeycloakSecurityContext.  You can setup what information is in the
> IDToken via the claims page in each application/oauth client.
>
> For other user requests (like changing passwords), use the Account
> Service.  Every authenticated user has permission to access this REST
> API by default.
>
> On 4/15/2014 10:41 AM, Nils Preusker wrote:
> > By management REST API you mean the API the admin console uses?
> >
> > Just to make sure I understand your suggestion correctly:
> >
> > * I would use the management REST API (same API the admin console uses)
> > from my backend application
> > * my backend application would need a user ("application user") within
> > the keycloak-admin realm
> > * when accessing the management REST API, I would add an "Authorization:
> > Bearer ..." header with the token I can obtain from
> > .../auth/rest/realms/MY-REALM/tokens/grants/access
> >
> > Cheers,
> > Nils
> >
> >
> >
> > On Tue, Apr 15, 2014 at 3:10 PM, Bill Burke <bburke at redhat.com
> > <mailto:bburke at redhat.com>> wrote:
> >
> >     IMO, you should not use the model directly in your applications.  The
> >     management REST API gives you full access to security metadata.  Use
> >     that.  Plus, in the very near future (after beta-1 release) we'll be
> >     implementing a cache and if you are modifying data directly, there
> will
> >     be possibilities of this cache using stale data.
> >
> >     On 4/15/2014 4:30 AM, Stian Thorgersen wrote:
> >      > At some point we'll add a Java and REST api's for user
> >     management. This will also include being able to register listeners
> >     for user events (for example user created, user deleted, etc).
> >      >
> >      > In the mean time I don't see any issues with using
> >     keycloak-model-jpa directly, especially not for read only. This API
> >     will quite likely change between versions, and we won't support any
> >     backwards compatibility. The "official" user management API once
> >     it's ready will be more stable, but I'm not sure when we'll have
> >     time to implement that.
> >      >
> >      > ----- Original Message -----
> >      >> From: "Nils Preusker" <n.preusker at gmail.com
> >     <mailto:n.preusker at gmail.com>>
> >      >> To: keycloak-user at lists.jboss.org
> >     <mailto:keycloak-user at lists.jboss.org>
> >      >> Sent: Tuesday, 15 April, 2014 9:22:44 AM
> >      >> Subject: [keycloak-user] Sharing users
> >      >>
> >      >> Hi, I have a question regarding user management and sharing
> >     access to the
> >      >> keycloak database between applications.
> >      >>
> >      >> While the keycloak admin console can be used to manage users,
> other
> >      >> applications may also need to access the user database. Is there
> a
> >      >> recommended way of accomplishing this?
> >      >>
> >      >> I've been experimenting with adding keycloak-model-jpa to my
> >     .war as a
> >      >> dependency and looking at the bootstrapping in
> >      >> org.keycloak.services.resources.KeycloakApplication. However, I
> >     wasn't able
> >      >> to get it to work yet and have the feeling that I might be going
> >     the wrong
> >      >> way here.
> >      >>
> >      >> Any hints?
> >      >>
> >      >> Cheers,
> >      >> Nils
> >      >>
> >      >> _______________________________________________
> >      >> keycloak-user mailing list
> >      >> keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.jboss.org>
> >      >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >      > _______________________________________________
> >      > keycloak-user mailing list
> >      > keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.jboss.org>
> >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >      >
> >
> >     --
> >     Bill Burke
> >     JBoss, a division of Red Hat
> >     http://bill.burkecentral.com
> >     _______________________________________________
> >     keycloak-user mailing list
> >     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >     https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140415/388f09d7/attachment-0001.html

More information about the keycloak-user mailing list