<div dir="ltr">Hi Bill,<div><br></div><div>thanks, I wasn't fully aware of the AccountService. However, we'll need to implement a user management page within our application that gives access to all users and role mappings within the realm. So I suppose I would either have to access the admin console back-end via REST with a keycloak-admin-realm user or use the JPA entities from keycloak-model-jpa directly.</div>
<div><br></div><div>I would assume that this is a pretty standard use case though. After all, the only alternative would be exposing the admin console to end users. Or am I missing something?</div><div><br></div><div>Cheers,</div>
<div>Nils</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 15, 2014 at 4:45 PM, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">User information can be obtained from the IDToken within<br>
KeycloakSecurityContext. You can setup what information is in the<br>
IDToken via the claims page in each application/oauth client.<br>
<br>
For other user requests (like changing passwords), use the Account<br>
Service. Every authenticated user has permission to access this REST<br>
API by default.<br>
<div class=""><br>
On 4/15/2014 10:41 AM, Nils Preusker wrote:<br>
> By management REST API you mean the API the admin console uses?<br>
><br>
> Just to make sure I understand your suggestion correctly:<br>
><br>
> * I would use the management REST API (same API the admin console uses)<br>
> from my backend application<br>
> * my backend application would need a user ("application user") within<br>
> the keycloak-admin realm<br>
> * when accessing the management REST API, I would add an "Authorization:<br>
> Bearer ..." header with the token I can obtain from<br>
> .../auth/rest/realms/MY-REALM/tokens/grants/access<br>
><br>
> Cheers,<br>
> Nils<br>
><br>
><br>
><br>
> On Tue, Apr 15, 2014 at 3:10 PM, Bill Burke <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a><br>
</div><div class="">> <mailto:<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>>> wrote:<br>
><br>
> IMO, you should not use the model directly in your applications. The<br>
> management REST API gives you full access to security metadata. Use<br>
> that. Plus, in the very near future (after beta-1 release) we'll be<br>
> implementing a cache and if you are modifying data directly, there will<br>
> be possibilities of this cache using stale data.<br>
><br>
> On 4/15/2014 4:30 AM, Stian Thorgersen wrote:<br>
> > At some point we'll add a Java and REST api's for user<br>
> management. This will also include being able to register listeners<br>
> for user events (for example user created, user deleted, etc).<br>
> ><br>
> > In the mean time I don't see any issues with using<br>
> keycloak-model-jpa directly, especially not for read only. This API<br>
> will quite likely change between versions, and we won't support any<br>
> backwards compatibility. The "official" user management API once<br>
> it's ready will be more stable, but I'm not sure when we'll have<br>
> time to implement that.<br>
> ><br>
> > ----- Original Message -----<br>
> >> From: "Nils Preusker" <<a href="mailto:n.preusker@gmail.com">n.preusker@gmail.com</a><br>
</div><div><div class="h5">> <mailto:<a href="mailto:n.preusker@gmail.com">n.preusker@gmail.com</a>>><br>
> >> To: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <mailto:<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
> >> Sent: Tuesday, 15 April, 2014 9:22:44 AM<br>
> >> Subject: [keycloak-user] Sharing users<br>
> >><br>
> >> Hi, I have a question regarding user management and sharing<br>
> access to the<br>
> >> keycloak database between applications.<br>
> >><br>
> >> While the keycloak admin console can be used to manage users, other<br>
> >> applications may also need to access the user database. Is there a<br>
> >> recommended way of accomplishing this?<br>
> >><br>
> >> I've been experimenting with adding keycloak-model-jpa to my<br>
> .war as a<br>
> >> dependency and looking at the bootstrapping in<br>
> >> org.keycloak.services.resources.KeycloakApplication. However, I<br>
> wasn't able<br>
> >> to get it to work yet and have the feeling that I might be going<br>
> the wrong<br>
> >> way here.<br>
> >><br>
> >> Any hints?<br>
> >><br>
> >> Cheers,<br>
> >> Nils<br>
> >><br>
> >> _______________________________________________<br>
> >> keycloak-user mailing list<br>
</div></div>> >> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
<div class="">> >> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> > _______________________________________________<br>
> > keycloak-user mailing list<br>
</div>> > <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
<div class="">> > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> ><br>
><br>
> --<br>
> Bill Burke<br>
> JBoss, a division of Red Hat<br>
> <a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
> _______________________________________________<br>
> keycloak-user mailing list<br>
</div>> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
<div class="HOEnZb"><div class="h5">> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</div></div></blockquote></div><br></div>