<div dir="ltr">forgot to reply to all ;-)<br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Bystrik Horvath</b> <span dir="ltr"><<a href="mailto:bystrik.horvath@gmail.com">bystrik.horvath@gmail.com</a>></span><br>Date: Fri, Nov 27, 2015 at 12:18 PM<br>Subject: Re: [keycloak-user] Limiting the admin REST API<br>To: <a href="mailto:stian@redhat.com">stian@redhat.com</a><br><br><br><div dir="ltr">Hi Stian,<div><br></div><div>thank you for the answer. Custom endpoint would be nicer option for me as I would like to , e.g.: let the calling application use own set of of user attributes (e.g.: name of the university) and remap them onto custom attributes of user representation. Is there any way how to add own endpoint to keycloak (when the SPI is not ready for that option)?</div><div><br></div><div>Best regards,</div><div>Bystrik</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 27, 2015 at 12:05 PM, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Another option is that you use scope to prevent this. I imagine you will want to have a separate set of roles for your calling app in either case. In which case you make sure that you limit the scope of the clients.</div><div class="gmail_extra"><br><div class="gmail_quote">On 27 November 2015 at 12:04, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Pressed send to early. We are planning to add an SPI to allow deploying your own rest endpoints. Once we have that we can also add an option to disable admin endpoints. Although the Keycloak admin console wouldn't work anymore.</div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On 27 November 2015 at 12:03, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">In that case I'd say you should rather not deploy the admin endpoints at all and instead add your own custom endpoints.</div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On 27 November 2015 at 11:08, Bystrik Horvath <span dir="ltr"><<a href="mailto:bystrik.horvath@gmail.com" target="_blank">bystrik.horvath@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr">Hello everyone,<div><br></div><div>I would like to limit the functionality of the admin REST API to the calling user/application. </div><div>The motivation is not to expose the "internals" of keycloak and put some logic between the calling app and admin REST API.</div><div>My idea was to create a simple web application deployed at keycloak server that belongs to the same realm as calling application and realm management application. </div><div>Would you recommend that approach? Or is there anything more suitable (e.g.: implement it as a keycloak valve... etc.)?</div><div><br></div><div>Thank you for your opinions.</div><div><br></div><div>Best regards,</div><div>Bystrik</div><div><br></div><div><br></div></div>
<br></div></div>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>
</div><br></div>