I have few points regarding example applications: - For third-party oauth client example, there is not possibility to configure stuff through JSON but everything is hardcoded in classes Bootstrap and ProductDatabaseClient. There are also some strange comments in code like "This is the worst code ever" etc :-) This is not so ideal IMO as I expect that people will often look to the source code of these examples for inspiration. I believe that OAuth clients should also have something like ManagedResourceConfigLoader for Applications.

- For the "third-party" OAuth client, I don't like the fact that when user press "Cancel" in OAuth grant page, there is exception in server.log and Tomcat error page displayed. I believe the behaviour should be more user-friendly.

- Examples "customer-portal", "product-portal", "database-service" and "oauth-client" are using package "org.jboss.reasteasy..." instead of "org.keycloak..."

On 11.12.2013 14:10, Bill Burke wrote: > > On 12/10/2013 11:45 AM, Marek Posolda wrote: >> I have few points regarding example applications: >> >> - For third-party oauth client example, there is not possibility to >> configure stuff through JSON but everything is hardcoded in classes >> Bootstrap and ProductDatabaseClient. There are also some strange >> comments in code like "This is the worst code ever" etc :-) This is not >> so ideal IMO as I expect that people will often look to the source code >> of these examples for inspiration. I believe that OAuth clients should >> also have something like ManagedResourceConfigLoader for Applications. >> > Feel free to write a better example with CDI or Spring and expand out > the oauth client framework code. I've send PR https://github.com/keycloak/keycloak/pull/134 . Third-party application rewritten to use CDI+JSF and now it read the configuration from JSON file. I've added ManagedOAuthClientConfigLoader (subclass of ManagedResourceConfigLoader) for support of reading configuration of OAuth clients from JSON files. I've also created JIRA https://issues.jboss.org/browse/KEYCLOAK-231 and implemented it in my PR as currently our adapters (both OAuthClient and Applications) don't have any support for sending "scope" parameter to Keycloak server. So now if you have something like this in keycloak.json configuration of your application or oauth-client: "scope" : { "realm" : [ "user" ] }

From: "Marek Posolda" <mposolda(a)redhat.com&gt; To: "Bill Burke" <bburke(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Friday, 13 December, 2013 9:14:37 AM Subject: Re: [keycloak-dev] Feedback on examples On 12.12.2013 21:18, Bill Burke wrote: > > > On 12/12/2013 12:35 PM, Marek Posolda wrote: >> On 11.12.2013 14:10, Bill Burke wrote: >>> >>> On 12/10/2013 11:45 AM, Marek Posolda wrote: >>>> I have few points regarding example applications: >>>> >>>> - For third-party oauth client example, there is not possibility to >>>> configure stuff through JSON but everything is hardcoded in classes >>>> Bootstrap and ProductDatabaseClient. There are also some strange >>>> comments in code like "This is the worst code ever" etc :-) This is >>>> not >>>> so ideal IMO as I expect that people will often look to the source >>>> code >>>> of these examples for inspiration. I believe that OAuth clients should >>>> also have something like ManagedResourceConfigLoader for Applications. >>>> >>> Feel free to write a better example with CDI or Spring and expand out >>> the oauth client framework code. >> I've send PR https://github.com/keycloak/keycloak/pull/134 . Third-party >> application rewritten to use CDI+JSF and now it read the configuration >> from JSON file. I've added ManagedOAuthClientConfigLoader (subclass of >> ManagedResourceConfigLoader) for support of reading configuration of >> OAuth clients from JSON files. >> >> I've also created JIRA https://issues.jboss.org/browse/KEYCLOAK-231 and >> implemented it in my PR as currently our adapters (both OAuthClient and >> Applications) don't have any support for sending "scope" parameter to >> Keycloak server. >> >> So now if you have something like this in keycloak.json configuration of >> your application or oauth-client: >> "scope" : { >> "realm" : [ "user" ] >> } >> > > I'm not sure we need a "scope" parameter. Scope is already configured > and defined within the admin console for each application and/or oauth > client. Apps/oauth clients just can't ask for any role they want, > they must have permission to ask for that role. The only purpose a > "scope" parameter would provide would be to reduce the size of the > access token. > Parameter "scope" is currently supported on auth-server side and in OAuth2 specs, so it makes sense to have some support for it also on apps/oauth-clients side IMO. One use-case could be reducing the size of access token. Another use-case is, that administrator of particular application/oauth-client doesn't have admin permission of the Keycloak SSO server against he wants to authenticate (due to some corporate policy or whatever), so in this case only possibility for him to reduce required scopes is through the "scope" parameter. I think it's important especially for oauth-clients as users need to accept all scopes in OAuth grant screen and the more permissions are required, the less is the chance that user doesn't want to grant that permissions. Marek _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev