API for Registering users / Flow for registration on iOS
by Vinay Anantharaman
Hi,
I would like to make an iOS app which uses social login using Facebook. I
don't want to have the user's register using Keycloak's HTML form to
register. I've made an app before where we had a native UI for social login
for Facebook. I passed the FB Access token to my backend and was able to
create a user from there.
How can I get this workflow with Keycloak? I dug around the docs and
couldn't find anything. I assume that Keycloak's HTML registration forms
must be submitting and accept social login tokens to create users.
Thanks,
Vinay Anantharamann
10 years, 10 months
Query on Keycloak Setup
by Satyajit Das
Hi team,
Kindly respond to my below query. My queries can be trivial because i am
new to webapplication.
I have a webapplication which is on angular js. I want that to get
authenticated and redirected to keycloak page for SSO authentication, when
i hit the application URL.
In you document and demo i saw you have configured that using web.xml,
context.xml and keycloak.json.(These all files were true and working for
JSP and servlets and html pages) but how to configure this for angular js
project . it doesnt have any web.xml or context.xml.
I saw your example in
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/c...
there is only a keycloak.json configuration with public-client as true.
Cant I have this as confidential where it will accept the user id and
password. How will i map the roles where there is no web.xml
Looking forward to your response.
Regards,
Satya.
10 years, 10 months
Fwd: Remove address from registration and account management by default
by Lennart Jörelid
[Forwarding to the list; not meant as a personal reply.]
Hello there,
This is exacly what I am struggling with at the moment. I have found a
number of things which would need clarification in documentation as well as
in examples:
1. *Custom user data properties/fields*. It seems that one has to/ought
to add custom properties to three places in the theme files: account, admin
and registration. However, the ways to add them differ greatly, as each FTL
template structure is quite different. (Account uses account.ftl; Admin
uses partials/user-attribute-entry.ftl). Pattern definitions and
explanations are missing from examples and documentation, as far as I can
tell.
2. *Editable properties per role*. Realm admins/editors could perhaps be
able to edit all properties (except primary key/ID value) for all the users
in a realm - but we would typically like to restrict which properties (both
basic and custom attributes) are editable depending on the roles/privileges
a user has in the realm. (For example, it would likely be a bad ide to
permit users to change their names and birthday arbitrarily after
registration). How do we restrict editability of normaly and custom user
properteis - both in terms of the data and the forms required to interact
with keycloak? Pattern definitions and explanations are missing from
examples and documentation, as far as I can tell.
3. *Linking users to roles/privileges in other realms.* How should one
construct realms to grant roles & privileges automatically to users in
other realms? (For example: All Users in Literary Society A can register
for a party hosted by Literary Society B. Hence, how does realm admin B
grant role KnownGuest to all users in realm A, to permit them to access
Society B's register-to-the-event-page? Assume, of course, that both A and
B are managed by the same Keycloak DB, so basic identity attributes should
be extracted normally from Keycloak. Neither realm admins from A or B have
master realm access.) Pattern definitions and explanations are missing from
examples and documentation, as far as I can tell.
2015-08-13 15:49 GMT+02:00 Stian Thorgersen <stian(a)redhat.com>:
> As highlighted by the UXP team the registration screen is not very nice. I
> propose we remove the address fields from the registration and account
> management. Instead we should have an example theme that shows adding
> additional fields to the screens.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
--
+==============================+
| Bästa hälsningar,
| [sw. "Best regards"]
|
| Lennart Jörelid
| EAI Architect & Integrator
|
| jGuru Europe AB
| Mölnlycke - Kista
|
| Email: lj(a)jguru.se
| URL: www.jguru.se
| Phone
| (skype): jgurueurope
| (intl): +46 708 507 603
| (domestic): 0708 - 507 603
+==============================+
--
--
+==============================+
| Bästa hälsningar,
| [sw. "Best regards"]
|
| Lennart Jörelid
| EAI Architect & Integrator
|
| jGuru Europe AB
| Mölnlycke - Kista
|
| Email: lj(a)jguru.se
| URL: www.jguru.se
| Phone
| (skype): jgurueurope
| (intl): +46 708 507 603
| (domestic): 0708 - 507 603
+==============================+
10 years, 10 months
Operational monitoring of Keycloak server
by Vlastimil Elias
Hi,
as we deployed KC to production mode for https://developers.redhat.com
we started to think about operational monitoring, for example from
Nagios or other systems of this type.
KC user guide doesn't contain any chapter covering this topic, also no
any success over google search, so looks like KC doesn't have any
solution for this yet.
But I believe this is an important area which must be solved when KC is
used for production.
I can imagine monitoring of JDBC connection if JPA is used, monitoring
of Mongo connection if used as store, monitoring of LDAP connection if
LDAP federation is used etc.
Also some statistics like numbers of active sso session, number of
logins per minute etc should be provided there.
Monitoring is not about Keycloak core itself, it should be available for
extension developers also. For example we implemented own
UserFederationProvider which calls backend REST services.
We should be able to add info about this integration into monitoring
endpoint to be able to catch problems with this REST API.
It should be probably implemented same way as used by underlying
WildFly/EAP (JPA/JDBC is probably available for monitoring there). I'm
not sure if JMX is used there still or if some new framework is
available for it.
Or KC should use some form of KC REST API for this, which should be
extended by additional info from KC extensions?
What do you think?
Vlastimil
P.S we have https://issues.jboss.org/browse/RHD-552 for Red Hat
Developer instance of KC
--
Vlastimil Elias
Principal Software Engineer
jboss.org Development Team
10 years, 10 months
auth spi docs/examples available in master
by Bill Burke
WRote about 15 pages of docs. Created an example under
examples/providers/authenticator. It is both a required action and
authenticator example.
If you have time, please review. If you don't...oh well...
Refactored the SPI a bit when I created the examples. Hopefully it is a
lot simpler.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 10 months
Re: [keycloak-dev] [keycloak-user] Would like to deprecate/remove JPA/Mongo UserSessions
by Bill Burke
The abstraction will still againt and it will still be possible to plug
in your own session implementation. But we don't think using JPA or
Mongo is a good solution for manganging UserSessionModel. That's the
biggest reason we are deprecating it.
FYI, not sure what you mean by "JavaEE style clustering". Infinispan is
just a distributed cache/data grid and nothing to do with Java EE. I
don't see how Infinispan is any different than Redis.
On 8/14/2015 3:42 AM, David Illsley wrote:
> I'd really like to be able to run Keycloak without relying on JavaEE
> style clustering, and instead rely on modern 12-factor approaches. I was
> planning to do that by implementing a bunch of interfaces to use redis
> rather than JPA/Mongo/Infinispan, so I'm keen that you don't tie things
> too tightly to infinispan (not that I think you would. infinispan and
> redis effectively provide simple key/value stores).
>
> On Tue, Aug 4, 2015 at 5:57 PM, Bill Burke <bburke(a)redhat.com
> <mailto:bburke@redhat.com>> wrote:
>
> Hi all,
>
> Keycloak team would like to deprecate and remove the JPA and Mongo
> stores for UserSessions and just provide an Infinispan one. It is a
> pain to maintain these, and in our opinion, users really shouldn't be
> using JPA or Mongo to store User Sessions. Infinispan has a wide
> variety of configuration options for internal, external, and cloud
> networks.
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 10 months
key cloak findings
by Satyajit Das
Hi kindly see the below mentioned scenario and result. please advise
whether the findings is as per expectations.
1) I created a new service copied the keycloak.json from an existing
(registered at keycloak server) webservice project.
I didn't register the new service at key cloak , deployed it on tomcat and
executed the program. The new service gets called even if it is not
registered at keycloak server.
2) I changed the public shared key.here the new service failed saying token
mismatch.
Kindly let me know your thoughts.
Regards,
Satya.
10 years, 10 months
Remove address from registration and account management by default
by Stian Thorgersen
As highlighted by the UXP team the registration screen is not very nice. I propose we remove the address fields from the registration and account management. Instead we should have an example theme that shows adding additional fields to the screens.
10 years, 10 months
public/private api module structure
by Bill Burke
I was thinking we'd have a more course-grain module structure for public
apis. We have a crap load of SPIs and having a module for each of them
is a pain for the user and us in creating/maintaining poms as well as
creating maintaing JBoss modules. Something like:
keycloak-core-api
keycloak-server-api
keycloak-client-api
and
keycloak-saml-api
keycloak-oidc-api
protocol APIs would be for the case where users need to access the raw
SAML document or JWT.
These API modules would only contain public APIs and helper classes. we
can consolidate and/or separate internal implementation classes into any
structure we want with the thought process being that we would organize
these modules so that we have the option to remove features as needed to
make a smaller distro.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 10 months
