----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 3 October, 2013 2:59:15 PM
Subject: [keycloak-dev] Feedback on Oauth Clients
I need some feedback on how to handle OAuth Clients. OAuth clients are
like Applications in that Keycloak is used to log in, but OAuth clients
are required to be forwarded through the OAuth Grant Page. Users must
directly grant permission to the OAuth client to access stuff. OAuth
clients will also not be hooked into Single Logout or the session
management facilities I hope to incorporate into Keycloak. OAuth
clients will also not have roles associated with them.
The way google does it is that they require you to login using your
Google account, then you create applications within their cloud service
app. Applications get their own unique client-id and password and you
then assign permissions to this application.
I was thinking we should do something similar for Keycloak.
For our first release, we'll have a specific Admin UI in which you can
create OAuth clients in much the same way you create applications.
For phase 2, I was thinking that the user account management would be
expanded to have an option (if allowed by the realm) for creating and
registering an OAuth client. The user would then have a client-id
generated for them and they would have to set up credentials for this
client-id.
I think this should be part of the admin console, not the account management. A realm
should have an option to enable "user-defined applications" or whatever
you'd call them. I also think that users should have a roles associated with them to
be allowed to login to the admin console + to create applications.
When a realm user logs in to the admin console he should be able to create applications
under the realm, but not to change any realm configurations, nor create new realms, etc..
Applications created by such users should be "OAuth Client", not "Keycloak
Applications", so the grant page would pop-up on login.
In fact a realm user should be able to login to the admin console and perform any
operation the user has been given access to do?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev