12:36 p.m.
Hi,
We are planing to add more fine-grained permissions on admin endpoints in
the future, but it will be a while until we get to it. I'm not very keen on
accepting something like this now as we are planning to do fairly big
changes around this in the future. You're also the first person to ask
about having clients specific to user, other people have so far requested
groups of clients that groups of users can manage.
I'd recommend using the Realm Resource SPI to create custom endpoints to
accomplish this. You can use an attribute on the clients to store the user
that has created the client and only allow that user to modify it in the
future. You can also consider using the client registration service. The
client registration service allows anyone with a create-role or an initial
access token to create clients. When a client is created it returns a
registration access token that gives permission to modify/delete that
particular client in the future.
On 6 June 2016 at 14:39, Erik Berdonces Bonelo <
e.berdoncesbonelo(a)campus.tu-berlin.de> wrote:
Hello,
I’m working at the moment in a Master Thesis project in TU Berlin where we
are using Keycloak for Authentication and Authorisation purposes.
We are planning on extending Keycloak in order to provide users a way to
register clients/applications by themselves into the platform, while having
an admin overseeing the system.
This would mean that as a user, if I have the proper rights I should be
able to create and manage my own clients. With, this it comes the idea of
ownership, as this would mean that a client ownership could be transferred
to someone else.
Also, the admin should be able to accept, revoke and delete the clients
and requests to create clients in my Keycloak.
At the moment the only option would be giving the permission to create
clients to the user, but that would allow to change ANY of the possible
clients.
Then, I have two questions:
1. Would it make sense to integrate this to the Keycloak core?
2. If it doesn’t make sense to merge it in the core, is there any plugin
system to extend Keycloak’s core? I’ve seen a discussion related to a
plugin system in GitHub but there is no outcome yet. We would rather like
to integrate it with Keycloak itself, otherwise the other option would be
creating a client that uses Keycloak’s REST API to manage the clients
remotely.
Thanks a lot in advance!
—
Best Regards,
Erik Berdonces Bonelo
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev