2:58 a.m.
Hi,
I was looking for a way to query users based on their exact username but it
turned out, that
org.keycloak.admin.client.resource.UsersResource.search(String, String,
String, String, Integer, Integer)
@GET
@Produces(MediaType.APPLICATION_JSON)
List<UserRepresentation> search(@QueryParam("username") String
username,
@QueryParam("firstName") String
firstName,
@QueryParam("lastName") String
lastName,
@QueryParam("email") String email,
@QueryParam("first") Integer
firstResult,
@QueryParam("max") Integer
maxResults);
...
usersResource.search("exactusername",null,null, null, null, email, 0, 10)
generates a like %..% query in
JpaUserProvider.searchForUserByAttributes(...).
Since usernames are unique per realm I think it would make sense to be able
to perform a
query for the exact username (or perhaps the combination of other
attributes as well).
Was this omitted by design, or may I create a JIRA for this?
Cheers,
Thomas
3:07 a.m.
It was by design, but it wasn't a good design. Would be better to make it
match exact, but allow including a wildcard to make it fuzzy.
On 19 January 2016 at 09:58, Thomas Darimont <thomas.darimont(a)googlemail.com
wrote:
Hi,
I was looking for a way to query users based on their exact username but
it turned out, that
org.keycloak.admin.client.resource.UsersResource.search(String, String,
String, String, Integer, Integer)
@GET
@Produces(MediaType.APPLICATION_JSON)
List<UserRepresentation> search(@QueryParam("username") String
username,
@QueryParam("firstName") String
firstName,
@QueryParam("lastName") String
lastName,
@QueryParam("email") String email,
@QueryParam("first") Integer
firstResult,
@QueryParam("max") Integer
maxResults);
...
usersResource.search("exactusername",null,null, null, null, email, 0, 10)
generates a like %..% query in
JpaUserProvider.searchForUserByAttributes(...).
Since usernames are unique per realm I think it would make sense to be
able to perform a
query for the exact username (or perhaps the combination of other
attributes as well).
Was this omitted by design, or may I create a JIRA for this?
Cheers,
Thomas
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:15 a.m.
Okay, how about offering a new search method that accepts s UserSearch DTO
that would hold the attributes to search by
as well as a "match mode". Could also be used to specify pagination.
This could also be send via a @POST in order to avoid retaining userdata
like usernames, email addresses etc. in
access logs...
Alternatively you could introduce a searchExact(..) method with the same
parameterization as the existing search method.
2016-01-19 10:07 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
It was by design, but it wasn't a good design. Would be better to
make it
match exact, but allow including a wildcard to make it fuzzy.
On 19 January 2016 at 09:58, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
> Hi,
>
> I was looking for a way to query users based on their exact username but
> it turned out, that
> org.keycloak.admin.client.resource.UsersResource.search(String, String,
> String, String, Integer, Integer)
>
> @GET
> @Produces(MediaType.APPLICATION_JSON)
> List<UserRepresentation> search(@QueryParam("username") String
username,
> @QueryParam("firstName") String
> firstName,
> @QueryParam("lastName") String
> lastName,
> @QueryParam("email") String email,
> @QueryParam("first") Integer
> firstResult,
> @QueryParam("max") Integer
> maxResults);
>
> ...
> usersResource.search("exactusername",null,null, null, null, email, 0,
> 10)
>
> generates a like %..% query in
> JpaUserProvider.searchForUserByAttributes(...).
>
> Since usernames are unique per realm I think it would make sense to be
> able to perform a
> query for the exact username (or perhaps the combination of other
> attributes as well).
>
> Was this omitted by design, or may I create a JIRA for this?
>
> Cheers,
> Thomas
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
3:27 a.m.
Hello,
I created: https://issues.jboss.org/browse/KEYCLOAK-2343 to track this.
Cheers,
Thomas
2016-01-19 10:15 GMT+01:00 Thomas Darimont <thomas.darimont(a)googlemail.com>:
Okay, how about offering a new search method that accepts s
UserSearch DTO
that would hold the attributes to search by
as well as a "match mode". Could also be used to specify pagination.
This could also be send via a @POST in order to avoid retaining userdata
like usernames, email addresses etc. in
access logs...
Alternatively you could introduce a searchExact(..) method with the same
parameterization as the existing search method.
2016-01-19 10:07 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
> It was by design, but it wasn't a good design. Would be better to make it
> match exact, but allow including a wildcard to make it fuzzy.
>
> On 19 January 2016 at 09:58, Thomas Darimont <
> thomas.darimont(a)googlemail.com> wrote:
>
>> Hi,
>>
>> I was looking for a way to query users based on their exact username but
>> it turned out, that
>> org.keycloak.admin.client.resource.UsersResource.search(String,
>> String, String, String, Integer, Integer)
>>
>> @GET
>> @Produces(MediaType.APPLICATION_JSON)
>> List<UserRepresentation> search(@QueryParam("username") String
>> username,
>> @QueryParam("firstName") String
>> firstName,
>> @QueryParam("lastName") String
>> lastName,
>> @QueryParam("email") String
email,
>> @QueryParam("first") Integer
>> firstResult,
>> @QueryParam("max") Integer
>> maxResults);
>>
>> ...
>> usersResource.search("exactusername",null,null, null, null, email,
0,
>> 10)
>>
>> generates a like %..% query in
>> JpaUserProvider.searchForUserByAttributes(...).
>>
>> Since usernames are unique per realm I think it would make sense to be
>> able to perform a
>> query for the exact username (or perhaps the combination of other
>> attributes as well).
>>
>> Was this omitted by design, or may I create a JIRA for this?
>>
>> Cheers,
>> Thomas
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
4:49 a.m.
-1 To additional search method. URL should be '.../users'.
Simplest is just to change what we have now to not included wildcards. Then
add an extra query param "fuzzy". If fuzzy=true then we'd add %. Default
should be false. Alternatives are:
* Let users add % themselves
* Add separate query params for fuzzy
On 19 January 2016 at 10:27, Thomas Darimont <thomas.darimont(a)googlemail.com
wrote:
> Hello,
>
> I created: https://issues.jboss.org/browse/KEYCLOAK-2343 to track this.
>
> Cheers,
> Thomas
>
> 2016-01-19 10:15 GMT+01:00 Thomas Darimont <thomas.darimont(a)googlemail.com
> >:
>
>> Okay, how about offering a new search method that accepts s UserSearch
>> DTO that would hold the attributes to search by
>> as well as a "match mode". Could also be used to specify pagination.
>>
>> This could also be send via a @POST in order to avoid retaining userdata
>> like usernames, email addresses etc. in
>> access logs...
>>
>> Alternatively you could introduce a searchExact(..) method with the same
>> parameterization as the existing search method.
>>
>> 2016-01-19 10:07 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
>>
>>> It was by design, but it wasn't a good design. Would be better to make
>>> it match exact, but allow including a wildcard to make it fuzzy.
>>>
>>> On 19 January 2016 at 09:58, Thomas Darimont <
>>> thomas.darimont(a)googlemail.com wrote:
>>>
>>>> Hi,
>>>>
>>>> I was looking for a way to query users based on their exact username
>>>> but it turned out, that
>>>> org.keycloak.admin.client.resource.UsersResource.search(String,
>>>> String, String, String, Integer, Integer)
>>>>
>>>> @GET
>>>> @Produces(MediaType.APPLICATION_JSON)
>>>> List<UserRepresentation> search(@QueryParam("username")
String
>>>> username,
>>>> @QueryParam("firstName")
String
>>>> firstName,
>>>> @QueryParam("lastName")
String
>>>> lastName,
>>>> @QueryParam("email")
String
>>>> email,
>>>> @QueryParam("first")
Integer
>>>> firstResult,
>>>> @QueryParam("max")
Integer
>>>> maxResults);
>>>>
>>>> ...
>>>> usersResource.search("exactusername",null,null, null, null,
email, 0,
>>>> 10)
>>>>
>>>> generates a like %..% query in
>>>> JpaUserProvider.searchForUserByAttributes(...).
>>>>
>>>> Since usernames are unique per realm I think it would make sense to be
>>>> able to perform a
>>>> query for the exact username (or perhaps the combination of other
>>>> attributes as well).
>>>>
>>>> Was this omitted by design, or may I create a JIRA for this?
>>>>
>>>> Cheers,
>>>> Thomas
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>
>>>
>>
>
5:20 a.m.
I just wanted to ensure backwards compatibility - an additional parameter
would break (java) API
consumers who are currently using the keycloak-admin-client, since they are
potentially using the
variant without the parameter.
This would of course be no problem for REST API consumers.
What I see as a problem though is the behaviour change of the search
behaviour by default ...
(knowing the current API) I'd rather expect that the search would perform
the same as before
with fuzzy matching /by default/ and support for exact match if explicitly
stated.
However having a search operation that performs an exact search by
default "feels" more natural to me - so I'm fine with your suggestion as a
quick solution :)
Regarding urls:
I'd rather prefer to have some dedicated search sub-resources per entity -
but that is a more general topic...
With this approach one would be more flexible with respect to supported
searches
that could behave completly different.
Entity lookups by id
/entity/{id}
Dedicated lookup sub-resource for other attribute lookups: (here I'd expect
exactly 0 or 1 results)
/entity/lookup/byName?name=someName
/entity/lookup/byEmail?email=someEmail
Dedicated search sub-resources: (here I'd expect 0 or n results)
/entity/search/byName?name=someName
/entity/search/byNameMatching?pattern=someName
/entity/search/byAttributes?firstname=firstname&lastname=lastname
In addition to that one could also allow @POST requests to these
(sub-)resources
where the actual parameters are extracted from form-parameters in order
to avoid leaking user information like username, email, etc. in access logs.
I think this would be relevant for an application that deals with security
sensitive information
like keycloak does.
Cheers,
Thomas
2016-01-19 11:49 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
-1 To additional search method. URL should be '.../users'.
Simplest is just to change what we have now to not included wildcards.
Then add an extra query param "fuzzy". If fuzzy=true then we'd add %.
Default should be false. Alternatives are:
* Let users add % themselves
* Add separate query params for fuzzy
On 19 January 2016 at 10:27, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
> Hello,
>
> I created: https://issues.jboss.org/browse/KEYCLOAK-2343 to track this.
>
> Cheers,
> Thomas
>
> 2016-01-19 10:15 GMT+01:00 Thomas Darimont <
> thomas.darimont(a)googlemail.com>:
>
>> Okay, how about offering a new search method that accepts s UserSearch
>> DTO that would hold the attributes to search by
>> as well as a "match mode". Could also be used to specify pagination.
>>
>> This could also be send via a @POST in order to avoid retaining userdata
>> like usernames, email addresses etc. in
>> access logs...
>>
>> Alternatively you could introduce a searchExact(..) method with the same
>> parameterization as the existing search method.
>>
>> 2016-01-19 10:07 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
>>
>>> It was by design, but it wasn't a good design. Would be better to make
>>> it match exact, but allow including a wildcard to make it fuzzy.
>>>
>>> On 19 January 2016 at 09:58, Thomas Darimont <
>>> thomas.darimont(a)googlemail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I was looking for a way to query users based on their exact username
>>>> but it turned out, that
>>>> org.keycloak.admin.client.resource.UsersResource.search(String,
>>>> String, String, String, Integer, Integer)
>>>>
>>>> @GET
>>>> @Produces(MediaType.APPLICATION_JSON)
>>>> List<UserRepresentation> search(@QueryParam("username")
String
>>>> username,
>>>> @QueryParam("firstName")
String
>>>> firstName,
>>>> @QueryParam("lastName")
String
>>>> lastName,
>>>> @QueryParam("email")
String
>>>> email,
>>>> @QueryParam("first")
Integer
>>>> firstResult,
>>>> @QueryParam("max")
Integer
>>>> maxResults);
>>>>
>>>> ...
>>>> usersResource.search("exactusername",null,null, null, null,
email,
>>>> 0, 10)
>>>>
>>>> generates a like %..% query in
>>>> JpaUserProvider.searchForUserByAttributes(...).
>>>>
>>>> Since usernames are unique per realm I think it would make sense to be
>>>> able to perform a
>>>> query for the exact username (or perhaps the combination of other
>>>> attributes as well).
>>>>
>>>> Was this omitted by design, or may I create a JIRA for this?
>>>>
>>>> Cheers,
>>>> Thomas
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>
>>>
>>
>
12:52 p.m.
We've decided to leave the admin endpoints as is for 1.x series. In 2.x
series we'll introduce a version 2 of the API which won't be backwards
compatible. This will give us greater flexibility in improving the API, but
still support the older API for some time.
On 19 January 2016 at 12:20, Thomas Darimont <thomas.darimont(a)googlemail.com
wrote:
I just wanted to ensure backwards compatibility - an additional
parameter
would break (java) API
consumers who are currently using the keycloak-admin-client, since they
are potentially using the
variant without the parameter.
This would of course be no problem for REST API consumers.
What I see as a problem though is the behaviour change of the search
behaviour by default ...
(knowing the current API) I'd rather expect that the search would perform
the same as before
with fuzzy matching /by default/ and support for exact match if explicitly
stated.
However having a search operation that performs an exact search by
default "feels" more natural to me - so I'm fine with your suggestion as a
quick solution :)
Regarding urls:
I'd rather prefer to have some dedicated search sub-resources per entity -
but that is a more general topic...
With this approach one would be more flexible with respect to supported
searches
that could behave completly different.
Entity lookups by id
/entity/{id}
Dedicated lookup sub-resource for other attribute lookups: (here I'd
expect exactly 0 or 1 results)
/entity/lookup/byName?name=someName
/entity/lookup/byEmail?email=someEmail
Dedicated search sub-resources: (here I'd expect 0 or n results)
/entity/search/byName?name=someName
/entity/search/byNameMatching?pattern=someName
/entity/search/byAttributes?firstname=firstname&lastname=lastname
-1 A single resource with different query params is much cleaner IMO
In addition to that one could also allow @POST requests to these
(sub-)resources
where the actual parameters are extracted from form-parameters in order
to avoid leaking user information like username, email, etc. in access
logs.
I think this would be relevant for an application that deals with security
sensitive information
like keycloak does.
Agree with the security sensitivity, but it sounds very non-rest
>
> Cheers,
> Thomas
>
>
> 2016-01-19 11:49 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
>
>> -1 To additional search method. URL should be '.../users'.
>>
>> Simplest is just to change what we have now to not included wildcards.
>> Then add an extra query param "fuzzy". If fuzzy=true then we'd add
%.
>> Default should be false. Alternatives are:
>>
>> * Let users add % themselves
>> * Add separate query params for fuzzy
>>
>> On 19 January 2016 at 10:27, Thomas Darimont <
>> thomas.darimont(a)googlemail.com wrote:
>>
>>> Hello,
>>>
>>> I created: https://issues.jboss.org/browse/KEYCLOAK-2343 to track this.
>>>
>>> Cheers,
>>> Thomas
>>>
>>> 2016-01-19 10:15 GMT+01:00 Thomas Darimont <
>>> thomas.darimont(a)googlemail.com>:
>>>
>>>> Okay, how about offering a new search method that accepts s UserSearch
>>>> DTO that would hold the attributes to search by
>>>> as well as a "match mode". Could also be used to specify
pagination.
>>>>
>>>> This could also be send via a @POST in order to avoid retaining
>>>> userdata like usernames, email addresses etc. in
>>>> access logs...
>>>>
>>>> Alternatively you could introduce a searchExact(..) method with the
>>>> same parameterization as the existing search method.
>>>>
>>>> 2016-01-19 10:07 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
>>>>
>>>>> It was by design, but it wasn't a good design. Would be better to
make
>>>>> it match exact, but allow including a wildcard to make it fuzzy.
>>>>>
>>>>> On 19 January 2016 at 09:58, Thomas Darimont <
>>>>> thomas.darimont(a)googlemail.com wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I was looking for a way to query users based on their exact
username
>>>>>> but it turned out, that
>>>>>>
org.keycloak.admin.client.resource.UsersResource.search(String,
>>>>>> String, String, String, Integer, Integer)
>>>>>>
>>>>>> @GET
>>>>>> @Produces(MediaType.APPLICATION_JSON)
>>>>>> List<UserRepresentation>
search(@QueryParam("username") String
>>>>>> username,
>>>>>>
@QueryParam("firstName")
>>>>>> String firstName,
>>>>>>
@QueryParam("lastName") String
>>>>>> lastName,
>>>>>>
@QueryParam("email") String
>>>>>> email,
>>>>>>
@QueryParam("first") Integer
>>>>>> firstResult,
>>>>>>
@QueryParam("max") Integer
>>>>>> maxResults);
>>>>>>
>>>>>> ...
>>>>>> usersResource.search("exactusername",null,null, null,
null, email,
>>>>>> 0, 10)
>>>>>>
>>>>>> generates a like %..% query in
>>>>>> JpaUserProvider.searchForUserByAttributes(...).
>>>>>>
>>>>>> Since usernames are unique per realm I think it would make sense
to
>>>>>> be able to perform a
>>>>>> query for the exact username (or perhaps the combination of
other
>>>>>> attributes as well).
>>>>>>
>>>>>> Was this omitted by design, or may I create a JIRA for this?
>>>>>>
>>>>>> Cheers,
>>>>>> Thomas
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev(a)lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
1:48 p.m.
Answers inline
2016-01-19 19:52 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
We've decided to leave the admin endpoints as is for 1.x series.
In 2.x
series we'll introduce a version 2 of the API which won't be backwards
compatible. This will give us greater flexibility in improving the API, but
still support the older API for some time.
Sounds reasonable - will keep that in mind!
On 19 January 2016 at 12:20, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
> I just wanted to ensure backwards compatibility - an additional parameter
> would break (java) API
> consumers who are currently using the keycloak-admin-client, since they
> are potentially using the
> variant without the parameter.
> This would of course be no problem for REST API consumers.
>
> What I see as a problem though is the behaviour change of the search
> behaviour by default ...
> (knowing the current API) I'd rather expect that the search would perform
> the same as before
> with fuzzy matching /by default/ and support for exact match if
> explicitly stated.
>
> However having a search operation that performs an exact search by
> default "feels" more natural to me - so I'm fine with your suggestion
as
> a quick solution :)
>
> Regarding urls:
> I'd rather prefer to have some dedicated search sub-resources per entity
> - but that is a more general topic...
> With this approach one would be more flexible with respect to supported
> searches
> that could behave completly different.
>
> Entity lookups by id
> /entity/{id}
>
> Dedicated lookup sub-resource for other attribute lookups: (here I'd
> expect exactly 0 or 1 results)
> /entity/lookup/byName?name=someName
> /entity/lookup/byEmail?email=someEmail
>
> Dedicated search sub-resources: (here I'd expect 0 or n results)
>
> /entity/search/byName?name=someName
> /entity/search/byNameMatching?pattern=someName
> /entity/search/byAttributes?firstname=firstname&lastname=lastname
>
-1 A single resource with different query params is much cleaner IMO
Yes and no, it may look cleaner to some degree in the beginning but once
more sophisticated
user searches / lookups become necessary it can turn into a mess because
one has to deal
with a bunch of different parameters and handle the resulting parameter
combinations in a proper way.
Having dedicated search endpoints makes it easier to provide narrowly
focused search APIs IMHO.
> In addition to that one could also allow @POST requests to these
> (sub-)resources
> where the actual parameters are extracted from form-parameters in order
> to avoid leaking user information like username, email, etc. in access
> logs.
> I think this would be relevant for an application that deals with
> security sensitive information
> like keycloak does.
>
Agree with the security sensitivity, but it sounds very non-rest
Yes indeed, that's one occasion where one has to deviate from traditional
rest teachings for the sake of security ;-)
Although using POST requests don't make the whole app more secure but
helps, as said to not leave unnecessary
traces in proxy / access logs etc.
http://stackoverflow.com/questions/198462/is-either-get-or-post-more-secu...
> Cheers,
> Thomas
>
>
> 2016-01-19 11:49 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
>
>> -1 To additional search method. URL should be '.../users'.
>>
>> Simplest is just to change what we have now to not included wildcards.
>> Then add an extra query param "fuzzy". If fuzzy=true then we'd add
%.
>> Default should be false. Alternatives are:
>>
>> * Let users add % themselves
>> * Add separate query params for fuzzy
>>
>> On 19 January 2016 at 10:27, Thomas Darimont <
>> thomas.darimont(a)googlemail.com> wrote:
>>
>>> Hello,
>>>
>>> I created: https://issues.jboss.org/browse/KEYCLOAK-2343 to track this.
>>>
>>> Cheers,
>>> Thomas
>>>
>>> 2016-01-19 10:15 GMT+01:00 Thomas Darimont <
>>> thomas.darimont(a)googlemail.com>:
>>>
>>>> Okay, how about offering a new search method that accepts s UserSearch
>>>> DTO that would hold the attributes to search by
>>>> as well as a "match mode". Could also be used to specify
pagination.
>>>>
>>>> This could also be send via a @POST in order to avoid retaining
>>>> userdata like usernames, email addresses etc. in
>>>> access logs...
>>>>
>>>> Alternatively you could introduce a searchExact(..) method with the
>>>> same parameterization as the existing search method.
>>>>
>>>> 2016-01-19 10:07 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
>>>>
>>>>> It was by design, but it wasn't a good design. Would be better
to
>>>>> make it match exact, but allow including a wildcard to make it
fuzzy.
>>>>>
>>>>> On 19 January 2016 at 09:58, Thomas Darimont <
>>>>> thomas.darimont(a)googlemail.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I was looking for a way to query users based on their exact
username
>>>>>> but it turned out, that
>>>>>>
org.keycloak.admin.client.resource.UsersResource.search(String,
>>>>>> String, String, String, Integer, Integer)
>>>>>>
>>>>>> @GET
>>>>>> @Produces(MediaType.APPLICATION_JSON)
>>>>>> List<UserRepresentation>
search(@QueryParam("username") String
>>>>>> username,
>>>>>>
@QueryParam("firstName")
>>>>>> String firstName,
>>>>>>
@QueryParam("lastName")
>>>>>> String lastName,
>>>>>>
@QueryParam("email") String
>>>>>> email,
>>>>>>
@QueryParam("first") Integer
>>>>>> firstResult,
>>>>>>
@QueryParam("max") Integer
>>>>>> maxResults);
>>>>>>
>>>>>> ...
>>>>>> usersResource.search("exactusername",null,null, null,
null, email,
>>>>>> 0, 10)
>>>>>>
>>>>>> generates a like %..% query in
>>>>>> JpaUserProvider.searchForUserByAttributes(...).
>>>>>>
>>>>>> Since usernames are unique per realm I think it would make sense
to
>>>>>> be able to perform a
>>>>>> query for the exact username (or perhaps the combination of
other
>>>>>> attributes as well).
>>>>>>
>>>>>> Was this omitted by design, or may I create a JIRA for this?
>>>>>>
>>>>>> Cheers,
>>>>>> Thomas
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev(a)lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
1:54 p.m.
On 19 January 2016 at 20:48, Thomas Darimont <thomas.darimont(a)googlemail.com
wrote:
> Answers inline
>
> 2016-01-19 19:52 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
>
>> We've decided to leave the admin endpoints as is for 1.x series. In 2.x
>> series we'll introduce a version 2 of the API which won't be backwards
>> compatible. This will give us greater flexibility in improving the API, but
>> still support the older API for some time.
>>
>>
> Sounds reasonable - will keep that in mind!
>
>
>> On 19 January 2016 at 12:20, Thomas Darimont <
>> thomas.darimont(a)googlemail.com wrote:
>>
>>> I just wanted to ensure backwards compatibility - an additional
>>> parameter would break (java) API
>>> consumers who are currently using the keycloak-admin-client, since they
>>> are potentially using the
>>> variant without the parameter.
>>> This would of course be no problem for REST API consumers.
>>>
>>> What I see as a problem though is the behaviour change of the search
>>> behaviour by default ...
>>> (knowing the current API) I'd rather expect that the search would
>>> perform the same as before
>>> with fuzzy matching /by default/ and support for exact match if
>>> explicitly stated.
>>>
>>> However having a search operation that performs an exact search by
>>> default "feels" more natural to me - so I'm fine with your
suggestion as
>>> a quick solution :)
>>>
>>
>>> Regarding urls:
>>> I'd rather prefer to have some dedicated search sub-resources per entity
>>> - but that is a more general topic...
>>> With this approach one would be more flexible with respect to supported
>>> searches
>>> that could behave completly different.
>>>
>>> Entity lookups by id
>>> /entity/{id}
>>>
>>> Dedicated lookup sub-resource for other attribute lookups: (here I'd
>>> expect exactly 0 or 1 results)
>>> /entity/lookup/byName?name=someName
>>> /entity/lookup/byEmail?email=someEmail
>>>
>>> Dedicated search sub-resources: (here I'd expect 0 or n results)
>>>
>>> /entity/search/byName?name=someName
>>> /entity/search/byNameMatching?pattern=someName
>>> /entity/search/byAttributes?firstname=firstname&lastname=lastname
>>>
>>
>> -1 A single resource with different query params is much cleaner IMO
>>
>>
> Yes and no, it may look cleaner to some degree in the beginning but once
> more sophisticated
> user searches / lookups become necessary it can turn into a mess because
> one has to deal
> with a bunch of different parameters and handle the resulting parameter
> combinations in a proper way.
> Having dedicated search endpoints makes it easier to provide narrowly
> focused search APIs IMHO.
>
It always depends. I can't see us providing so many different search
endpoints that having multiple different endpoints will be cleaner. Having
one endpoint with multiple params also provides more flexibility. For even
more flexibility you can use something along what Mongo does to include a
complex json object for the search params.
>
>> In addition to that one could also allow @POST requests to these
>> (sub-)resources
>> where the actual parameters are extracted from form-parameters in order
>> to avoid leaking user information like username, email, etc. in access
>> logs.
>> I think this would be relevant for an application that deals with
>> security sensitive information
>> like keycloak does.
>>
>
> Agree with the security sensitivity, but it sounds very non-rest
>
>
Yes indeed, that's one occasion where one has to deviate from traditional
rest teachings for the sake of security ;-)
Although using POST requests don't make the whole app more secure but
helps, as said to not leave unnecessary
traces in proxy / access logs etc.
http://stackoverflow.com/questions/198462/is-either-get-or-post-more-secu...
Assuming HTTPS is used then the only place that query params could be
leaked is in the web server log, so wouldn't it be more sensible to make
sure they are not included in the server logs?
>
>
>>
>>> Cheers,
>>> Thomas
>>>
>>>
>>> 2016-01-19 11:49 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
>>>
>>>> -1 To additional search method. URL should be '.../users'.
>>>>
>>>> Simplest is just to change what we have now to not included wildcards.
>>>> Then add an extra query param "fuzzy". If fuzzy=true then
we'd add %.
>>>> Default should be false. Alternatives are:
>>>>
>>>> * Let users add % themselves
>>>> * Add separate query params for fuzzy
>>>>
>>>> On 19 January 2016 at 10:27, Thomas Darimont <
>>>> thomas.darimont(a)googlemail.com wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I created: https://issues.jboss.org/browse/KEYCLOAK-2343 to track
>>>>> this.
>>>>>
>>>>> Cheers,
>>>>> Thomas
>>>>>
>>>>> 2016-01-19 10:15 GMT+01:00 Thomas Darimont <
>>>>> thomas.darimont(a)googlemail.com>:
>>>>>
>>>>>> Okay, how about offering a new search method that accepts s
>>>>>> UserSearch DTO that would hold the attributes to search by
>>>>>> as well as a "match mode". Could also be used to
specify pagination.
>>>>>>
>>>>>> This could also be send via a @POST in order to avoid retaining
>>>>>> userdata like usernames, email addresses etc. in
>>>>>> access logs...
>>>>>>
>>>>>> Alternatively you could introduce a searchExact(..) method with
the
>>>>>> same parameterization as the existing search method.
>>>>>>
>>>>>> 2016-01-19 10:07 GMT+01:00 Stian Thorgersen
<sthorger(a)redhat.com>:
>>>>>>
>>>>>>> It was by design, but it wasn't a good design. Would be
better to
>>>>>>> make it match exact, but allow including a wildcard to make
it fuzzy.
>>>>>>>
>>>>>>> On 19 January 2016 at 09:58, Thomas Darimont <
>>>>>>> thomas.darimont(a)googlemail.com wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I was looking for a way to query users based on their
exact
>>>>>>>> username but it turned out, that
>>>>>>>>
org.keycloak.admin.client.resource.UsersResource.search(String,
>>>>>>>> String, String, String, Integer, Integer)
>>>>>>>>
>>>>>>>> @GET
>>>>>>>> @Produces(MediaType.APPLICATION_JSON)
>>>>>>>> List<UserRepresentation>
search(@QueryParam("username") String
>>>>>>>> username,
>>>>>>>>
@QueryParam("firstName")
>>>>>>>> String firstName,
>>>>>>>>
@QueryParam("lastName")
>>>>>>>> String lastName,
>>>>>>>>
@QueryParam("email") String
>>>>>>>> email,
>>>>>>>>
@QueryParam("first") Integer
>>>>>>>> firstResult,
>>>>>>>>
@QueryParam("max") Integer
>>>>>>>> maxResults);
>>>>>>>>
>>>>>>>> ...
>>>>>>>>
usersResource.search("exactusername",null,null, null, null,
>>>>>>>> email, 0, 10)
>>>>>>>>
>>>>>>>> generates a like %..% query in
>>>>>>>> JpaUserProvider.searchForUserByAttributes(...).
>>>>>>>>
>>>>>>>> Since usernames are unique per realm I think it would
make sense to
>>>>>>>> be able to perform a
>>>>>>>> query for the exact username (or perhaps the combination
of other
>>>>>>>> attributes as well).
>>>>>>>>
>>>>>>>> Was this omitted by design, or may I create a JIRA for
this?
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Thomas
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-dev mailing list
>>>>>>>> keycloak-dev(a)lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
2:06 p.m.
2016-01-19 20:54 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
On 19 January 2016 at 20:48, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
> Answers inline
>
> 2016-01-19 19:52 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
>
>> We've decided to leave the admin endpoints as is for 1.x series. In 2.x
>> series we'll introduce a version 2 of the API which won't be backwards
>> compatible. This will give us greater flexibility in improving the API, but
>> still support the older API for some time.
>>
>>
> Sounds reasonable - will keep that in mind!
>
>
>> On 19 January 2016 at 12:20, Thomas Darimont <
>> thomas.darimont(a)googlemail.com> wrote:
>>
>>> I just wanted to ensure backwards compatibility - an additional
>>> parameter would break (java) API
>>> consumers who are currently using the keycloak-admin-client, since they
>>> are potentially using the
>>> variant without the parameter.
>>> This would of course be no problem for REST API consumers.
>>>
>>> What I see as a problem though is the behaviour change of the search
>>> behaviour by default ...
>>> (knowing the current API) I'd rather expect that the search would
>>> perform the same as before
>>> with fuzzy matching /by default/ and support for exact match if
>>> explicitly stated.
>>>
>>> However having a search operation that performs an exact search by
>>> default "feels" more natural to me - so I'm fine with your
suggestion
>>> as a quick solution :)
>>>
>>
>>> Regarding urls:
>>> I'd rather prefer to have some dedicated search sub-resources per
>>> entity - but that is a more general topic...
>>> With this approach one would be more flexible with respect to supported
>>> searches
>>> that could behave completly different.
>>>
>>> Entity lookups by id
>>> /entity/{id}
>>>
>>> Dedicated lookup sub-resource for other attribute lookups: (here I'd
>>> expect exactly 0 or 1 results)
>>> /entity/lookup/byName?name=someName
>>> /entity/lookup/byEmail?email=someEmail
>>>
>>> Dedicated search sub-resources: (here I'd expect 0 or n results)
>>>
>>> /entity/search/byName?name=someName
>>> /entity/search/byNameMatching?pattern=someName
>>> /entity/search/byAttributes?firstname=firstname&lastname=lastname
>>>
>>
>> -1 A single resource with different query params is much cleaner IMO
>>
>>
> Yes and no, it may look cleaner to some degree in the beginning but once
> more sophisticated
> user searches / lookups become necessary it can turn into a mess because
> one has to deal
> with a bunch of different parameters and handle the resulting parameter
> combinations in a proper way.
> Having dedicated search endpoints makes it easier to provide narrowly
> focused search APIs IMHO.
>
It always depends. I can't see us providing so many different search
endpoints that having multiple different endpoints will be cleaner. Having
one endpoint with multiple params also provides more flexibility. For even
more flexibility you can use something along what Mongo does to include a
complex json object for the search params.
Yes, generally I agree - but I'm a bit biased since I come from a Spring
Data Rest background:
http://docs.spring.io/spring-data/rest/docs/current/reference/html/#repos...
having dedicated resources makes it IMHO easier to build self-describing
discoverable hypermedia REST endpoints
since it is easier to represent sub resources via dedicated rels then
refering to a subset or permutation of query parameters.
>
>>
>>> In addition to that one could also allow @POST requests to these
>>> (sub-)resources
>>> where the actual parameters are extracted from form-parameters in order
>>> to avoid leaking user information like username, email, etc. in access
>>> logs.
>>> I think this would be relevant for an application that deals with
>>> security sensitive information
>>> like keycloak does.
>>>
>>
>> Agree with the security sensitivity, but it sounds very non-rest
>>
>>
> Yes indeed, that's one occasion where one has to deviate from traditional
> rest teachings for the sake of security ;-)
> Although using POST requests don't make the whole app more secure but
> helps, as said to not leave unnecessary
> traces in proxy / access logs etc.
>
>
http://stackoverflow.com/questions/198462/is-either-get-or-post-more-secu...
>
Assuming HTTPS is used then the only place that query params could be
leaked is in the web server log, so wouldn't it be more sensible to make
sure they are not included in the server logs?
Yes that's right one has many options here - using POST requests are an
easy way to do so.
>
>>
>>> Cheers,
>>> Thomas
>>>
>>>
>>> 2016-01-19 11:49 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
>>>
>>>> -1 To additional search method. URL should be '.../users'.
>>>>
>>>> Simplest is just to change what we have now to not included wildcards.
>>>> Then add an extra query param "fuzzy". If fuzzy=true then
we'd add %.
>>>> Default should be false. Alternatives are:
>>>>
>>>> * Let users add % themselves
>>>> * Add separate query params for fuzzy
>>>>
>>>> On 19 January 2016 at 10:27, Thomas Darimont <
>>>> thomas.darimont(a)googlemail.com> wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I created: https://issues.jboss.org/browse/KEYCLOAK-2343 to track
>>>>> this.
>>>>>
>>>>> Cheers,
>>>>> Thomas
>>>>>
>>>>> 2016-01-19 10:15 GMT+01:00 Thomas Darimont <
>>>>> thomas.darimont(a)googlemail.com>:
>>>>>
>>>>>> Okay, how about offering a new search method that accepts s
>>>>>> UserSearch DTO that would hold the attributes to search by
>>>>>> as well as a "match mode". Could also be used to
specify pagination.
>>>>>>
>>>>>> This could also be send via a @POST in order to avoid retaining
>>>>>> userdata like usernames, email addresses etc. in
>>>>>> access logs...
>>>>>>
>>>>>> Alternatively you could introduce a searchExact(..) method with
the
>>>>>> same parameterization as the existing search method.
>>>>>>
>>>>>> 2016-01-19 10:07 GMT+01:00 Stian Thorgersen
<sthorger(a)redhat.com>:
>>>>>>
>>>>>>> It was by design, but it wasn't a good design. Would be
better to
>>>>>>> make it match exact, but allow including a wildcard to make
it fuzzy.
>>>>>>>
>>>>>>> On 19 January 2016 at 09:58, Thomas Darimont <
>>>>>>> thomas.darimont(a)googlemail.com> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I was looking for a way to query users based on their
exact
>>>>>>>> username but it turned out, that
>>>>>>>>
org.keycloak.admin.client.resource.UsersResource.search(String,
>>>>>>>> String, String, String, Integer, Integer)
>>>>>>>>
>>>>>>>> @GET
>>>>>>>> @Produces(MediaType.APPLICATION_JSON)
>>>>>>>> List<UserRepresentation>
search(@QueryParam("username") String
>>>>>>>> username,
>>>>>>>>
@QueryParam("firstName")
>>>>>>>> String firstName,
>>>>>>>>
@QueryParam("lastName")
>>>>>>>> String lastName,
>>>>>>>>
@QueryParam("email") String
>>>>>>>> email,
>>>>>>>>
@QueryParam("first")
>>>>>>>> Integer firstResult,
>>>>>>>>
@QueryParam("max") Integer
>>>>>>>> maxResults);
>>>>>>>>
>>>>>>>> ...
>>>>>>>>
usersResource.search("exactusername",null,null, null, null,
>>>>>>>> email, 0, 10)
>>>>>>>>
>>>>>>>> generates a like %..% query in
>>>>>>>> JpaUserProvider.searchForUserByAttributes(...).
>>>>>>>>
>>>>>>>> Since usernames are unique per realm I think it would
make sense
>>>>>>>> to be able to perform a
>>>>>>>> query for the exact username (or perhaps the combination
of other
>>>>>>>> attributes as well).
>>>>>>>>
>>>>>>>> Was this omitted by design, or may I create a JIRA for
this?
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Thomas
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-dev mailing list
>>>>>>>> keycloak-dev(a)lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
3284
days inactive
3284
days old
9 comments
2 participants
participants (2)
-
Stian Thorgersen -
Thomas Darimont