Sagar, I'm moving this to keycloak-dev list. See comments inline
On 9/25/2014 6:53 AM, Sagar Zond wrote:
We are planning to use KeyClock for OAuth authorization server for our
API platform. Our understanding to KeyClock and OAuth is not very clear
so need your help to properly utilize KeyClock features.
Just to introduce our self, we are a start-up firm and creating products
for Health care domain. In our architecture we will have multiple Rest
API servers and multiple types of client like mobile, web and publicly
expose API. KeyCloak can be used as authentication and authorization
server. We have already gone through most of KeyCloak tutorials.
Here are few points of which we need answer -
1. API platform will be registered as application server on KeyClock and
clients (mobile app, web app or other app) will be authorized by
keyclock as per defined role. Is this a proper use case of KeyClock ?
You'll have to elaborate. I don't know exactly what you are saying.
Your REST API server would be registered as a Keycloak "Application".
You can define roles per "Application" or at the Realm level (global roles).
2. How do we integrate OAuth into mobile app ? Where can we write
You can start off by defining an public "OAuth Client" per mobile app.
You can use the direct grant REST API to obtain a token, or, use mobile
redirects to login through the mobile's browser. I believe the Aerogear
project is doing some work around Keycloak IOS and Android clients, but
you'd have to ping them.
3. How we can add more fields in session? e.g. if we want to add
token in header which may contain some extra application specific
Not sure what you mean. We don't have a nice way of adding claims to
the token at the moment.
4. We are currently using OpenDS Ldap for authentication and we
have number of registered users which currently using API. So we need
Keyclock to be configured for OpenDS, so please suggested how to
integrate OpenDS with KeyClock.
We have LDAP integration:
JBoss, a division of Red Hat