[keycloak-user] Keycloak and registration workflow for REST API platform

Stian Thorgersen stian at redhat.com
Thu Jul 10 09:07:32 EDT 2014 

There's not that much you have to do really. Keycloak provides most of what you'll need (OAuth2, securing rest services with rbac, user management, login/registration forms, social logins, etc.). As I said the only two pieces we don't provide are:

1. Allow users to register applications/clients themselves, this has to be done by admins at the moment
2. API key for unauthenticated requests - this could be done quite easily with a JAX-RS interceptor

I'd start without 1 and 2, then add those once you've got things working.

----- Original Message -----
> From: "Christina Lau" <christinalau28 at icloud.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 10 July, 2014 12:05:05 PM
> Subject: Re: [keycloak-user] Keycloak and registration workflow for REST API platform
> 
> It seems a little involve what you described below. I may need more help if I
> go with the approach you mentioned.
> 
> I am also asking Red Hat RestEasy team re their OAuth support, and they point
> me here as they also do not provide any OAuth support in RestEasy
> 
> https://docs.jboss.org/resteasy/docs/3.0.7.Final/userguide/html/oauth2.html
> 
> Support Case: https://access.redhat.com/support/cases/01136430/
> 
> It seems a little convoluted as well and I have to do a lot of work to secure
> the REST APIs.
> 
> Can you comment on these 2 alternatives? I am not a security expert and don’t
> really want to spend a lot of time implementing, will rather have more out
> of the box solution. Thanks.
> 
> Christina
> 
> On Jul 9, 2014, at 11:01 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > We did have some plans to provide something like this in Keycloak.
> > Basically it would be possible for users to create their own applications
> > through account management console. However, we simply don't have time to
> > add this at the moment.
> > 
> > In the mean time there's at least two options available:
> > 
> > * Create your own application that lets users register applications, and
> > use the KC admin endpoints to create a client. You could then use the
> > client_id as the API keys, so users wouldn't have to deal with both an API
> > key and a oauth2 client id. You can also add scope mappings to these
> > clients to control what roles/features of your app they can access
> > * Contribute this to Keycloak - if this is something you're interested in
> > let me know and we can look at how feasible that would be
> > 
> > With regards to 1, you'd have to add that yourself. You could extend our
> > adapter (or add your own) that extracts the API key from a query param
> > and/or header and uses the KC admin endpoints to verify that it
> > corresponds to the id of a client, and that the client has the required
> > scopes.
> > 
> > ----- Original Message -----
> >> From: "Christina Lau" <christinalau28 at icloud.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>, keycloak-user at lists.jboss.org
> >> Sent: Wednesday, 9 July, 2014 1:46:41 PM
> >> Subject: Re: [keycloak-user] Keycloak and registration workflow for REST
> >> API platform
> >> 
> >> Hello Stian, here is what I am trying to do:
> >> 
> >> 1. Create a self-service registration application, all users will use this
> >> application to register with their own email or twitter/facebook/google
> >> acct
> >> email.  I will imagine I use the Keycloak login and use CSS to customize
> >> it
> >> to integrate with my own application.
> >> 
> >> 2. The user will be issued a key/access token, this key will be used later
> >> to
> >> authorize the REST calls
> >> 
> >> Now I want to support 3 kinds of authorization for the different REST
> >> calls:
> >> 
> >> 1. API key only - for calls that just need to establish identity, but
> >> don't
> >> need to authenticate or authorize.
> >> 2. Authentication for more sensitive calls where I want to delegate
> >> authorization to a trusted location (i.e. keycloak)
> >> 3. Authorization for certain services where only authorized partners can
> >> invoke.
> >> 
> >> Can you outline how I can implement this in Keycloak, esp what part I have
> >> to
> >> implement myself. I plan to use RestEasy to implement Restful services,
> >> but
> >> I need to make sure the Restful services can be called by all clients
> >> (i.e.
> >> support popular OAuth libraries). Thanks…
> >> 
> >> Christina
> >> 
> >> On Jul 9, 2014, at 4:15 AM, Stian Thorgersen <stian at redhat.com> wrote:
> >> 
> >>> To answer your question properly I'd need more details about what you're
> >>> trying to achieve.
> >>> 
> >>> It does sound like we pretty much already have what you need, with the
> >>> exception of letting users themselves create clients. Depending on your
> >>> use case it may be a good idea to have a single realm (and share users)
> >>> between all developers/applications, or it may be better to have a realm
> >>> per developer/application.
> >>> 
> >>> For the latter we do have a role that lets users create new realms, but
> >>> not
> >>> use any other realms. This could be used to let a developer register with
> >>> your platform and then be able to login to the admin console to create
> >>> clients, users, or whatever they want. For the first we have discussed in
> >>> the past, but do not support it yet, the ability to let users register
> >>> clients through the account management console.
> >>> 
> >>> ----- Original Message -----
> >>>> From: "Christina Lau" <christinalau28 at icloud.com>
> >>>> To: keycloak-user at lists.jboss.org
> >>>> Sent: Tuesday, 8 July, 2014 4:34:57 PM
> >>>> Subject: [keycloak-user] Keycloak and registration workflow for REST API
> >>>> 	platform
> >>>> 
> >>>> I am wondering if I can use Keycloak to implementation the registration
> >>>> workflow for a REST API platform, similar to Twitter
> >>>> (https://apps.twitter.com/) or Linkedln
> >>>> (https://developer.linkedin.com/rest).
> >>>> 
> >>>> I found some features like social login very applicable. However I am
> >>>> not
> >>>> quite sure how I will model this in Keycloak. For example, will I have 1
> >>>> realm per user and each user that registers will have their own oauth
> >>>> client
> >>>> for their third party appl(s) that I need to grant access to similar to
> >>>> the
> >>>> Tutorial 3 demo?
> >>>> 
> >>>> If this is feasible to implement, can you outline the steps involved in
> >>>> this
> >>>> use case. I am thinking I will need to build a lot of it using the REST
> >>>> APIs
> >>>> you provided. Thanks in advance for any help.
> >>>> 
> >>>> Christina
> >>>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>> 
> >> 
> >> 
> 
>

More information about the keycloak-user mailing list