Sorry, I meant many to many: Realm - Application. I thought that's what
you were implying. At runtime the Application needs knowledge of the
Realm it is working with as described earlier.
On 7/31/2013 5:12 AM, Stian Thorgersen wrote:
Hm...
Surely there has to be a many applications per realm, why would you otherwise want SSO
for a realm?
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Tuesday, 30 July, 2013 5:58:34 PM
> Subject: Re: [keycloak-dev] Realms and applications
>
> I'm not sure yet if there will be a one-to-many for realm->applications.
> But, An application needs to be aware of the realms it is interacting
> with for a variety of reasons.
>
> The whole OAuth 2 protocol[1] requires knowledge of the realm it is
> logging into:
>
> * It needs to be registered with the realm and have a client_id and set
> of credentials
> * It needs to know which realm to make an authenticated request to so it
> can turn an access code into an access token. (This happens after
> Keycloak redirects the browser back to the application)
> * For bearer token authentication, it needs to know the public key of
> the realm the token comes from so it can verify the signed token.
> * For single sign off, Keycloak sends a signed request to the admin URL
> of the Application. The application needs to know the public key of the
> realm sending the request so it can verify the signed request. It also
> needs a way to match the request user to an Http Session so it can
> invalidate that session.
>
> Obtaining user profile information is sensitive. In many cases, we have
> to know that the user authorized this behavior. In others, the realm
> admin will have to assign permission (one or more roles) to an
> application to be able to request this information.
>
> IMO, for the 1st few iterations, there should only be a one-to-one
> mapping between Realm and application. I'm not sure how useful
> one-to-many would be anyways.
>
> [1]
http://tools.ietf.org/html/rfc6749
>
>
>
> On 7/30/2013 11:54 AM, Stian Thorgersen wrote:
>> Is the relationship between a realm and applications one-to-many? If so I
>> assume it would be possible to change the realm an application uses?
>>
>> Also I was wondering if it's necessary that an application has to know what
>> realm to use to login users. According to
>>
https://github.com/keycloak/keycloak/wiki/Login-Algorithm the application
>> should redirect to:
>>
>>
https://keycloak.org/realms/demo/tokens/login?state=...&redirect_uri=....
>>
>> Would it not be better if it didn't have to know about the realm? So login
>> would be something like:
>>
>>
https://keycloak.org/oauth2/?state=...&redirect_uri=...&client_id=...
>>
>> Same applies when an application wants to access lists of users, or the
>> user profile for a specific user, etc.
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>