Hi,
Thanks for the fast answer. I totally understand the permissions issue, and well, the
reason to send the previous mail was just to avoid this kind of problems.
Regarding to your suggestion on how to implement the self-registration, I understand
(after reading the documentation again) how to use the Realm Resource SPI together with
user attributes or either use the Client Registration Service.
However, as I see, there is no way to integrate it with the existing UI that Keycloak
has,doesn’t it? I’ve only been able to find that there are ways to extend the ServerInfo
page with some information, (example found in chapter 4.1.1 in the documentation). Is
there anything similar to a FormAction as described in 34.5.1 in the documentation to
integrate this extension with Keycloak’s UI, or I should create my own UI to create the
interface for this custom endpoints?
I’m sorry if this questions may be a bit basic, but even with the documentation, as it is
so extensive, I get sometimes a bit lost on what tools I have available to implement with
in this platform.
—
Best Regards,
Erik Berdonces Bonelo
On 6 June 2016 at 19:36:07, Stian Thorgersen (sthorger(a)redhat.com) wrote:
Hi,
We are planing to add more fine-grained permissions on admin endpoints in the future, but
it will be a while until we get to it. I'm not very keen on accepting something like
this now as we are planning to do fairly big changes around this in the future. You're
also the first person to ask about having clients specific to user, other people have so
far requested groups of clients that groups of users can manage.
I'd recommend using the Realm Resource SPI to create custom endpoints to accomplish
this. You can use an attribute on the clients to store the user that has created the
client and only allow that user to modify it in the future. You can also consider using
the client registration service. The client registration service allows anyone with a
create-role or an initial access token to create clients. When a client is created it
returns a registration access token that gives permission to modify/delete that particular
client in the future.
On 6 June 2016 at 14:39, Erik Berdonces Bonelo
<e.berdoncesbonelo(a)campus.tu-berlin.de> wrote:
Hello,
I’m working at the moment in a Master Thesis project in TU Berlin where we are using
Keycloak for Authentication and Authorisation purposes.
We are planning on extending Keycloak in order to provide users a way to register
clients/applications by themselves into the platform, while having an admin overseeing the
system.
This would mean that as a user, if I have the proper rights I should be able to create and
manage my own clients. With, this it comes the idea of ownership, as this would mean that
a client ownership could be transferred to someone else.
Also, the admin should be able to accept, revoke and delete the clients and requests to
create clients in my Keycloak.
At the moment the only option would be giving the permission to create clients to the
user, but that would allow to change ANY of the possible clients.
Then, I have two questions:
1. Would it make sense to integrate this to the Keycloak core?
2. If it doesn’t make sense to merge it in the core, is there any plugin system to
extend Keycloak’s core? I’ve seen a discussion related to a plugin system in GitHub but
there is no outcome yet. We would rather like to integrate it with Keycloak itself,
otherwise the other option would be creating a client that uses Keycloak’s REST API to
manage the clients remotely.
Thanks a lot in advance!
—
Best Regards,
Erik Berdonces Bonelo
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev