[keycloak-user] Keycloak and registration workflow for REST API platform

Stian Thorgersen stian at redhat.com
Wed Jul 9 11:01:00 EDT 2014 

We did have some plans to provide something like this in Keycloak. Basically it would be possible for users to create their own applications through account management console. However, we simply don't have time to add this at the moment.

In the mean time there's at least two options available:

* Create your own application that lets users register applications, and use the KC admin endpoints to create a client. You could then use the client_id as the API keys, so users wouldn't have to deal with both an API key and a oauth2 client id. You can also add scope mappings to these clients to control what roles/features of your app they can access
* Contribute this to Keycloak - if this is something you're interested in let me know and we can look at how feasible that would be

With regards to 1, you'd have to add that yourself. You could extend our adapter (or add your own) that extracts the API key from a query param and/or header and uses the KC admin endpoints to verify that it corresponds to the id of a client, and that the client has the required scopes.

----- Original Message -----
> From: "Christina Lau" <christinalau28 at icloud.com>
> To: "Stian Thorgersen" <stian at redhat.com>, keycloak-user at lists.jboss.org
> Sent: Wednesday, 9 July, 2014 1:46:41 PM
> Subject: Re: [keycloak-user] Keycloak and registration workflow for REST API platform
> 
> Hello Stian, here is what I am trying to do:
> 
> 1. Create a self-service registration application, all users will use this
> application to register with their own email or twitter/facebook/google acct
> email.  I will imagine I use the Keycloak login and use CSS to customize it
> to integrate with my own application.
> 
> 2. The user will be issued a key/access token, this key will be used later to
> authorize the REST calls
> 
> Now I want to support 3 kinds of authorization for the different REST calls:
> 
> 1. API key only - for calls that just need to establish identity, but don't
> need to authenticate or authorize.
> 2. Authentication for more sensitive calls where I want to delegate
> authorization to a trusted location (i.e. keycloak)
> 3. Authorization for certain services where only authorized partners can
> invoke.
> 
> Can you outline how I can implement this in Keycloak, esp what part I have to
> implement myself. I plan to use RestEasy to implement Restful services, but
> I need to make sure the Restful services can be called by all clients (i.e.
> support popular OAuth libraries). Thanks…
> 
> Christina
> 
> On Jul 9, 2014, at 4:15 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > To answer your question properly I'd need more details about what you're
> > trying to achieve.
> > 
> > It does sound like we pretty much already have what you need, with the
> > exception of letting users themselves create clients. Depending on your
> > use case it may be a good idea to have a single realm (and share users)
> > between all developers/applications, or it may be better to have a realm
> > per developer/application.
> > 
> > For the latter we do have a role that lets users create new realms, but not
> > use any other realms. This could be used to let a developer register with
> > your platform and then be able to login to the admin console to create
> > clients, users, or whatever they want. For the first we have discussed in
> > the past, but do not support it yet, the ability to let users register
> > clients through the account management console.
> > 
> > ----- Original Message -----
> >> From: "Christina Lau" <christinalau28 at icloud.com>
> >> To: keycloak-user at lists.jboss.org
> >> Sent: Tuesday, 8 July, 2014 4:34:57 PM
> >> Subject: [keycloak-user] Keycloak and registration workflow for REST API
> >> 	platform
> >> 
> >> I am wondering if I can use Keycloak to implementation the registration
> >> workflow for a REST API platform, similar to Twitter
> >> (https://apps.twitter.com/) or Linkedln
> >> (https://developer.linkedin.com/rest).
> >> 
> >> I found some features like social login very applicable. However I am not
> >> quite sure how I will model this in Keycloak. For example, will I have 1
> >> realm per user and each user that registers will have their own oauth
> >> client
> >> for their third party appl(s) that I need to grant access to similar to
> >> the
> >> Tutorial 3 demo?
> >> 
> >> If this is feasible to implement, can you outline the steps involved in
> >> this
> >> use case. I am thinking I will need to build a lot of it using the REST
> >> APIs
> >> you provided. Thanks in advance for any help.
> >> 
> >> Christina
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> 
> 
>

More information about the keycloak-user mailing list