[keycloak-user] Keycloak and registration workflow for REST API platform

Thu Jul 10 10:38:54 EDT 2014

I wrote the resteasy oauth2 support.  The problem with it is that it is 
*VERY* limited.  It is built on top of the current JBoss EAP 6.x and AS 
7.1 security architecture, specifically on top of JAAS LoginModules. 
Managing users, roles, role mappings, realm config, etc, is basically up 
to you.  FYI, this limitation is the reason I started the Keycloak 
project!!!!!

On 7/10/2014 7:05 AM, Christina Lau wrote:
> It seems a little involve what you described below. I may need more help if I go with the approach you mentioned.
>
> I am also asking Red Hat RestEasy team re their OAuth support, and they point me here as they also do not provide any OAuth support in RestEasy
>
> https://docs.jboss.org/resteasy/docs/3.0.7.Final/userguide/html/oauth2.html
>
> Support Case: https://access.redhat.com/support/cases/01136430/
>
> It seems a little convoluted as well and I have to do a lot of work to secure the REST APIs.
>
> Can you comment on these 2 alternatives? I am not a security expert and don’t really want to spend a lot of time implementing, will rather have more out of the box solution. Thanks.
>
> Christina
>
> On Jul 9, 2014, at 11:01 AM, Stian Thorgersen <stian at redhat.com> wrote:
>
>> We did have some plans to provide something like this in Keycloak. Basically it would be possible for users to create their own applications through account management console. However, we simply don't have time to add this at the moment.
>>
>> In the mean time there's at least two options available:
>>
>> * Create your own application that lets users register applications, and use the KC admin endpoints to create a client. You could then use the client_id as the API keys, so users wouldn't have to deal with both an API key and a oauth2 client id. You can also add scope mappings to these clients to control what roles/features of your app they can access
>> * Contribute this to Keycloak - if this is something you're interested in let me know and we can look at how feasible that would be
>>
>> With regards to 1, you'd have to add that yourself. You could extend our adapter (or add your own) that extracts the API key from a query param and/or header and uses the KC admin endpoints to verify that it corresponds to the id of a client, and that the client has the required scopes.
>>
>> ----- Original Message -----
>>> From: "Christina Lau" <christinalau28 at icloud.com>
>>> To: "Stian Thorgersen" <stian at redhat.com>, keycloak-user at lists.jboss.org
>>> Sent: Wednesday, 9 July, 2014 1:46:41 PM
>>> Subject: Re: [keycloak-user] Keycloak and registration workflow for REST API platform
>>>
>>> Hello Stian, here is what I am trying to do:
>>>
>>> 1. Create a self-service registration application, all users will use this
>>> application to register with their own email or twitter/facebook/google acct
>>> email.  I will imagine I use the Keycloak login and use CSS to customize it
>>> to integrate with my own application.
>>>
>>> 2. The user will be issued a key/access token, this key will be used later to
>>> authorize the REST calls
>>>
>>> Now I want to support 3 kinds of authorization for the different REST calls:
>>>
>>> 1. API key only - for calls that just need to establish identity, but don't
>>> need to authenticate or authorize.
>>> 2. Authentication for more sensitive calls where I want to delegate
>>> authorization to a trusted location (i.e. keycloak)
>>> 3. Authorization for certain services where only authorized partners can
>>> invoke.
>>>
>>> Can you outline how I can implement this in Keycloak, esp what part I have to
>>> implement myself. I plan to use RestEasy to implement Restful services, but
>>> I need to make sure the Restful services can be called by all clients (i.e.
>>> support popular OAuth libraries). Thanks…
>>>
>>> Christina
>>>
>>> On Jul 9, 2014, at 4:15 AM, Stian Thorgersen <stian at redhat.com> wrote:
>>>
>>>> To answer your question properly I'd need more details about what you're
>>>> trying to achieve.
>>>>
>>>> It does sound like we pretty much already have what you need, with the
>>>> exception of letting users themselves create clients. Depending on your
>>>> use case it may be a good idea to have a single realm (and share users)
>>>> between all developers/applications, or it may be better to have a realm
>>>> per developer/application.
>>>>
>>>> For the latter we do have a role that lets users create new realms, but not
>>>> use any other realms. This could be used to let a developer register with
>>>> your platform and then be able to login to the admin console to create
>>>> clients, users, or whatever they want. For the first we have discussed in
>>>> the past, but do not support it yet, the ability to let users register
>>>> clients through the account management console.
>>>>
>>>> ----- Original Message -----
>>>>> From: "Christina Lau" <christinalau28 at icloud.com>
>>>>> To: keycloak-user at lists.jboss.org
>>>>> Sent: Tuesday, 8 July, 2014 4:34:57 PM
>>>>> Subject: [keycloak-user] Keycloak and registration workflow for REST API
>>>>> 	platform
>>>>>
>>>>> I am wondering if I can use Keycloak to implementation the registration
>>>>> workflow for a REST API platform, similar to Twitter
>>>>> (https://apps.twitter.com/) or Linkedln
>>>>> (https://developer.linkedin.com/rest).
>>>>>
>>>>> I found some features like social login very applicable. However I am not
>>>>> quite sure how I will model this in Keycloak. For example, will I have 1
>>>>> realm per user and each user that registers will have their own oauth
>>>>> client
>>>>> for their third party appl(s) that I need to grant access to similar to
>>>>> the
>>>>> Tutorial 3 demo?
>>>>>
>>>>> If this is feasible to implement, can you outline the steps involved in
>>>>> this
>>>>> use case. I am thinking I will need to build a lot of it using the REST
>>>>> APIs
>>>>> you provided. Thanks in advance for any help.
>>>>>
>>>>> Christina
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>
>>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com