With regards to mobile we have AeroGear guys working on it and I do believe they're
using webviews.
I'd like to at some point schedule a meeting with them so we can discuss what the best
integration angle is. There seems to be quite a lot of people not wanting to do webviews,
with a good reason as they have a certain clumsy element. Besides they often end up with
having a separate cookie per-app so SSO doesn't work in either case.
Let's put the idea of passing a access token to the direct grant api on the
back-burner for now, until we have a clear vision on how mobile adapters should work.
----- Original Message -----
From: "Pedro Igor Silva" <psilva(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Friday, 5 December, 2014 3:41:49 PM
Subject: Re: [keycloak-dev] Federated Identity and Authentication Broker
----- Original Message -----
> From: "Stian Thorgersen" <stian(a)redhat.com>
> To: "Pedro Igor Silva" <psilva(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Friday, December 5, 2014 12:36:53 PM
> Subject: Re: [keycloak-dev] Federated Identity and Authentication Broker
>
>
>
> ----- Original Message -----
> > From: "Pedro Igor Silva" <psilva(a)redhat.com>
> > To: "Stian Thorgersen" <stian(a)redhat.com>
> > Cc: keycloak-dev(a)lists.jboss.org
> > Sent: Friday, 5 December, 2014 3:29:08 PM
> > Subject: Re: [keycloak-dev] Federated Identity and Authentication Broker
> >
> > ----- Original Message -----
> > > From: "Stian Thorgersen" <stian(a)redhat.com>
> > > To: "Pedro Igor Silva" <psilva(a)redhat.com>
> > > Cc: keycloak-dev(a)lists.jboss.org
> > > Sent: Friday, December 5, 2014 12:23:53 PM
> > > Subject: Re: [keycloak-dev] Federated Identity and Authentication
> > > Broker
> > >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Pedro Igor Silva" <psilva(a)redhat.com>
> > > > To: "Stian Thorgersen" <stian(a)redhat.com>
> > > > Cc: keycloak-dev(a)lists.jboss.org
> > > > Sent: Friday, 5 December, 2014 3:15:42 PM
> > > > Subject: Re: [keycloak-dev] Federated Identity and Authentication
> > > > Broker
> > > >
> > > > ----- Original Message -----
> > > > > From: "Stian Thorgersen" <stian(a)redhat.com>
> > > > > To: "Pedro Igor Silva" <psilva(a)redhat.com>
> > > > > Cc: keycloak-dev(a)lists.jboss.org
> > > > > Sent: Friday, December 5, 2014 12:07:37 PM
> > > > > Subject: Re: [keycloak-dev] Federated Identity and
Authentication
> > > > > Broker
> > > > >
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "Pedro Igor Silva"
<psilva(a)redhat.com>
> > > > > > To: "Stian Thorgersen" <stian(a)redhat.com>
> > > > > > Cc: keycloak-dev(a)lists.jboss.org
> > > > > > Sent: Friday, 5 December, 2014 2:57:46 PM
> > > > > > Subject: Re: [keycloak-dev] Federated Identity and
Authentication
> > > > > > Broker
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > > From: "Stian Thorgersen"
<stian(a)redhat.com>
> > > > > > > To: "Pedro Igor Silva"
<psilva(a)redhat.com>
> > > > > > > Cc: keycloak-dev(a)lists.jboss.org
> > > > > > > Sent: Friday, December 5, 2014 11:43:32 AM
> > > > > > > Subject: Re: [keycloak-dev] Federated Identity and
> > > > > > > Authentication
> > > > > > > Broker
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > > From: "Pedro Igor Silva"
<psilva(a)redhat.com>
> > > > > > > > To: "Stian Thorgersen"
<stian(a)redhat.com>
> > > > > > > > Cc: keycloak-dev(a)lists.jboss.org
> > > > > > > > Sent: Friday, 5 December, 2014 2:36:14 PM
> > > > > > > > Subject: Re: [keycloak-dev] Federated Identity
and
> > > > > > > > Authentication
> > > > > > > > Broker
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > > From: "Stian Thorgersen"
<stian(a)redhat.com>
> > > > > > > > > To: "Pedro Igor Silva"
<psilva(a)redhat.com>
> > > > > > > > > Cc: keycloak-dev(a)lists.jboss.org
> > > > > > > > > Sent: Friday, December 5, 2014 10:59:08 AM
> > > > > > > > > Subject: Re: [keycloak-dev] Federated
Identity and
> > > > > > > > > Authentication
> > > > > > > > > Broker
> > > > > > > > >
> > > > > > > > > Another related thing. We've had a few
people ask to be
> > > > > > > > > able
> > > > > > > > > to
> > > > > > > > > login
> > > > > > > > > to
> > > > > > > > > Keycloak on mobiles using the native social
login
> > > > > > > > > mechanism.
> > > > > > > > >
> > > > > > > > > I think the best way to do that is to use
the direct grant
> > > > > > > > > api
> > > > > > > > > and
> > > > > > > > > make
> > > > > > > > > it
> > > > > > > > > possible to call that endpoint passing a IdP
id and a token
> > > > > > > > > instead
> > > > > > > > > of
> > > > > > > > > username and password.
> > > > > > > > >
> > > > > > > > > WDYT?
> > > > > > > >
> > > > > > > > The broker endpoint expects the idp id in order
to start the
> > > > > > > > authentication
> > > > > > > > process. Today, the endpoint also expects KCs
authorization
> > > > > > > > code
> > > > > > > > in
> > > > > > > > order
> > > > > > > > to
> > > > > > > > validate requests from clients and use it as a
state to
> > > > > > > > validate
> > > > > > > > responses
> > > > > > > > from the trusted idps.
> > > > > > > >
> > > > > > > > This authorization code is a blocker for this use
case, given
> > > > > > > > that
> > > > > > > > mobile
> > > > > > > > don't have this code and just want to start
the
> > > > > > > > authentication.
> > > > > > > >
> > > > > > > > A possible solution would be to change the broker
to also
> > > > > > > > accept
> > > > > > > > a
> > > > > > > > client_id
> > > > > > > > to reference the mobile app and perform some
validations
> > > > > > > > based
> > > > > > > > on
> > > > > > > > that.
> > > > > > > > Something like that:
> > > > > > > >
> > > > > > > > 1) Mobile displays a Facebook button
> > > > > > > > 2) User clicks the button and mobile sends a
request to KC
> > > > > > > > Broker
> > > > > > > > with
> > > > > > > > the
> > > > > > > > idp id and his client_id.
> > > > > > > > 3) KC Broker checks if the client_id is valid and
creates a
> > > > > > > > temporary
> > > > > > > > authorization code.
> > > > > > > > 4) KC Broker redirect mobile to the chosen IdP to
perform
> > > > > > > > authentication.
> > > > > > > > 5) KC Broker receives a response from the IdP,
generate its
> > > > > > > > own
> > > > > > > > token
> > > > > > > > and
> > > > > > > > send it back to mobile
> > > > > > > >
> > > > > > > > Makes sense ?
> > > > > > >
> > > > > > > No that's not the flow I had in mind. Basically
the mobile app
> > > > > > > authenticates
> > > > > > > with Facebook through the native mechanisms. The app
then has
> > > > > > > an
> > > > > > > access
> > > > > > > token, which it would send to Keycloak on the direct
grant api
> > > > > > > to
> > > > > > > obtain
> > > > > > > a
> > > > > > > Keycloak token.
> > > > > >
> > > > > > Ahh, now I get what you mean :)
> > > > > >
> > > > > > Yes, what you said is enough. Then we just need to validate
the
> > > > > > access
> > > > > > token
> > > > > > (eg.: using a tokeninfo endpoint).
> > > > > >
> > > > > > But I think we can also consider that use case I mentioned.
You
> > > > > > may
> > > > > > want
> > > > > > to
> > > > > > login without forcing the user to redirect to KC login
page.
> > > > >
> > > > > We could just add a query param to the login url that lets you
pick
> > > > > the
> > > > > IdP
> > > > > to use by alias?
> > > > >
> > > > > For example
auth/.../login?client_id=...&auth_method=google
> > > >
> > > > Yes, just like my previously example, we need the client_id. The idp
> > > > id/alias
> > > > is already there.
> > >
> > > Sure, was just saying it should be the same URL as the regular login
> > > page,
> > > but with one extra param to specify the IdP.
> > >
> > > >
> > > > Btw, regarding SAML. SAML does not provide a "validation"
endpoint
> > > > like
> > > > oAuth2/OpenID providers usually provide. AFAIK, there is nothing on
> > > > the
> > > > specs for that. What can be done here is validate SAML assertions
> > > > against
> > > > a
> > > > WS-Trust STS. Or just trust the assertion based on the signature and
> > > > others
> > > > standards info along it.
> > > >
> > > > We can also take a closer look at the oAuth2 SAML bearer token
> > > > profile
> > > > and
> > > > see if it helps.
> > >
> > > If we could have it for social and OpenID Connect providers for now
> > > that'd
> > > be
> > > good.
> >
> > Deal. I'll do that.
> >
> > What about that use case I mentioned ? The one about mobile asking to
> > broker
> > (not previously issued access_token) an identity provider ?
>
> Sounds like a nice feature, but I'm not sure if anyone would use it. It
> also
> has a bit of an issue related to adapters, as they would have to have some
> support for it. For example we added a while back the login_hint query
> param
> from OpenID Connect, which is really only usable from the JS adapter
> currently.
How does mobile authenticate with KC today ? Users are redirect to KC login
page in a web view ?
>
> >
> > >
> > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > > Same for other identity providers, the assumption is
the app
> > > > > > > has
> > > > > > > an
> > > > > > > out
> > > > > > > of
> > > > > > > bounds mechanism to obtain an access token, which is
then sent
> > > > > > > to
> > > > > > > Keycloak
> > > > > > > over the direct grant api.
> > > > > > >
> > > > > > > >
> > > > > > > > >
> > > > > > > > > ----- Original Message -----
> > > > > > > > > > From: "Pedro Igor Silva"
<psilva(a)redhat.com>
> > > > > > > > > > To: "Stian Thorgersen"
<stian(a)redhat.com>
> > > > > > > > > > Cc: keycloak-dev(a)lists.jboss.org
> > > > > > > > > > Sent: Friday, 5 December, 2014 1:45:24
PM
> > > > > > > > > > Subject: Re: [keycloak-dev] Federated
Identity and
> > > > > > > > > > Authentication
> > > > > > > > > > Broker
> > > > > > > > > >
> > > > > > > > > > ----- Original Message -----
> > > > > > > > > > > From: "Stian Thorgersen"
<stian(a)redhat.com>
> > > > > > > > > > > To: "Pedro Igor Silva"
<psilva(a)redhat.com>
> > > > > > > > > > > Cc: keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > Sent: Friday, December 5, 2014
10:22:10 AM
> > > > > > > > > > > Subject: Re: [keycloak-dev]
Federated Identity and
> > > > > > > > > > > Authentication
> > > > > > > > > > > Broker
> > > > > > > > > > >
> > > > > > > > > > > Looks good. I reckon we can
combine the two pages. What
> > > > > > > > > > > about
> > > > > > > > > > > if
> > > > > > > > > > > the
> > > > > > > > > > > 'Add
> > > > > > > > > > > provider' drop-down is:
> > > > > > > > > > >
> > > > > > > > > > > OpenID
> > > > > > > > > > > SAML
> > > > > > > > > > > ------
> > > > > > > > > > > Google
> > > > > > > > > > > GitHub
> > > > > > > > > > > Facebook
> > > > > > > > > > > Twitter
> > > > > > > > > > >
> > > > > > > > > > > Let's drop social on/off and
instead have a
> > > > > > > > > > > enable/disable
> > > > > > > > > > > button
> > > > > > > > > > > on
> > > > > > > > > > > each
> > > > > > > > > > > provider.
> > > > > > > > > >
> > > > > > > > > > Sure.
> > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Also, would be nice if users could
set a name or alias
> > > > > > > > > > > for
> > > > > > > > > > > a
> > > > > > > > > > > provider
> > > > > > > > > > > instance. This would make the
callback url easier to
> > > > > > > > > > > use
> > > > > > > > > > > (instead
> > > > > > > > > > > of
> > > > > > > > > > > callback/<UUID> it's
callback/<alias>). The user
> > > > > > > > > > > federation
> > > > > > > > > > > providers
> > > > > > > > > > > have
> > > > > > > > > > > this.
> > > > > > > > > >
> > > > > > > > > > One of my first tries was using an
alias, just like that.
> > > > > > > > > > But
> > > > > > > > > > I
> > > > > > > > > > preferred
> > > > > > > > > > using the UUID and make the
configuration more easier.
> > > > > > > > > > Beside
> > > > > > > > > > that,
> > > > > > > > > > the
> > > > > > > > > > callback url is just a copy and paste,
so I think an
> > > > > > > > > > alias
> > > > > > > > > > would
> > > > > > > > > > not
> > > > > > > > > > bring
> > > > > > > > > > so much usability, but add one more
step when configuring
> > > > > > > > > > providers.
> > > > > > > > > >
> > > > > > > > > > However, if this is an usability
requirement for KC I can
> > > > > > > > > > change
> > > > > > > > > > that.
> > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > ----- Original Message -----
> > > > > > > > > > > > From: "Pedro Igor
Silva" <psilva(a)redhat.com>
> > > > > > > > > > > > To: "Stian
Thorgersen" <stian(a)redhat.com>
> > > > > > > > > > > > Cc:
keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > Sent: Friday, 5 December,
2014 1:08:53 PM
> > > > > > > > > > > > Subject: Re: [keycloak-dev]
Federated Identity and
> > > > > > > > > > > > Authentication
> > > > > > > > > > > > Broker
> > > > > > > > > > > >
> > > > > > > > > > > > In one of our last
discussions, you suggested to
> > > > > > > > > > > > leave
> > > > > > > > > > > > Social
> > > > > > > > > > > > as
> > > > > > > > > > > > it
> > > > > > > > > > > > is.
> > > > > > > > > > > > Although IMO I think we can
have a single place to
> > > > > > > > > > > > manage
> > > > > > > > > > > > both
> > > > > > > > > > > > social
> > > > > > > > > > > > and
> > > > > > > > > > > > user-defined identity
providers. Social ones are just
> > > > > > > > > > > > OOTB
> > > > > > > > > > > > and
> > > > > > > > > > > > pre-configured identity
providers now.
> > > > > > > > > > > >
> > > > > > > > > > > > That said, today I'm
using separated tabs for social
> > > > > > > > > > > > and
> > > > > > > > > > > > user-defined.
> > > > > > > > > > > > Please, take a look at [1]
for more details on how
> > > > > > > > > > > > the
> > > > > > > > > > > > UI
> > > > > > > > > > > > looks
> > > > > > > > > > > > like.
> > > > > > > > > > > >
> > > > > > > > > > > > I've changed social UI a
bit in order to provide a
> > > > > > > > > > > > specific
> > > > > > > > > > > > page
> > > > > > > > > > > > for
> > > > > > > > > > > > create/update. I've also
added a "Show Secret" link
> > > > > > > > > > > > to
> > > > > > > > > > > > display
> > > > > > > > > > > > the
> > > > > > > > > > > > client_secret in clear text
if user wants to.
> > > > > > > > > > > >
> > > > > > > > > > > > Beside the enable/disable
button, I think another
> > > > > > > > > > > > good
> > > > > > > > > > > > thing
> > > > > > > > > > > > to
> > > > > > > > > > > > do
> > > > > > > > > > > > is
> > > > > > > > > > > > specify
> > > > > > > > > > > > a default role(s) for each
provider. That can be
> > > > > > > > > > > > useful
> > > > > > > > > > > > if
> > > > > > > > > > > > applications
> > > > > > > > > > > > want
> > > > > > > > > > > > to perform any kind of
authorization based on the
> > > > > > > > > > > > identity
> > > > > > > > > > > > provider
> > > > > > > > > > > > or
> > > > > > > > > > > > authentication method used to
authenticate an user
> > > > > > > > > > > > (eg.:
> > > > > > > > > > > > useful
> > > > > > > > > > > > for
> > > > > > > > > > > > adaptative or multi-level
access control). We can
> > > > > > > > > > > > also
> > > > > > > > > > > > use
> > > > > > > > > > > > the
> > > > > > > > > > > > "amr"
> > > > > > > > > > > > claim
> > > > > > > > > > > > in the ID Token, which seems
KC is not considering at
> > > > > > > > > > > > all.
> > > > > > > > > > > > The
> > > > > > > > > > > > latter
> > > > > > > > > > > > is
> > > > > > > > > > > > an
> > > > > > > > > > > > important thing to think of,
regardless this broker
> > > > > > > > > > > > work
> > > > > > > > > > > > I'm
> > > > > > > > > > > > doing.
> > > > > > > > > > > >
> > > > > > > > > > > > [1]
> > > > > > > > > > > >
https://drive.google.com/file/d/0BwjsrPoH8khWMFBvNUcwYWVHRUU/view?usp=sha...
> > > > > > > > > > > >
> > > > > > > > > > > > ----- Original Message -----
> > > > > > > > > > > > From: "Stian
Thorgersen" <stian(a)redhat.com>
> > > > > > > > > > > > To: "Pedro Igor
Silva" <psilva(a)redhat.com>
> > > > > > > > > > > > Cc:
keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > Sent: Friday, December 5,
2014 6:15:15 AM
> > > > > > > > > > > > Subject: Re: [keycloak-dev]
Federated Identity and
> > > > > > > > > > > > Authentication
> > > > > > > > > > > > Broker
> > > > > > > > > > > >
> > > > > > > > > > > > Having a separate
enable/disable for each provider
> > > > > > > > > > > > would
> > > > > > > > > > > > be
> > > > > > > > > > > > good.
> > > > > > > > > > > > If
> > > > > > > > > > > > you're
> > > > > > > > > > > > leaving the social tab as is
and adding a separate
> > > > > > > > > > > > tab
> > > > > > > > > > > > for
> > > > > > > > > > > > configuring
> > > > > > > > > > > > brokered idp's then we
should leave the social
> > > > > > > > > > > > enable/disable
> > > > > > > > > > > > button,
> > > > > > > > > > > > otherwise it depends how
it'll look like in the end.
> > > > > > > > > > > >
> > > > > > > > > > > > ----- Original Message -----
> > > > > > > > > > > > > From: "Pedro Igor
Silva" <psilva(a)redhat.com>
> > > > > > > > > > > > > To: "Stian
Thorgersen" <stian(a)redhat.com>
> > > > > > > > > > > > > Cc:
keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > > Sent: Friday, 5
December, 2014 2:29:37 AM
> > > > > > > > > > > > > Subject: Re:
[keycloak-dev] Federated Identity and
> > > > > > > > > > > > > Authentication
> > > > > > > > > > > > > Broker
> > > > > > > > > > > > >
> > > > > > > > > > > > > Hi,
> > > > > > > > > > > > >
> > > > > > > > > > > > > Social has a button
to enable/disable it. I'm
> > > > > > > > > > > > > wondering
> > > > > > > > > > > > > what
> > > > > > > > > > > > > to
> > > > > > > > > > > > > do
> > > > > > > > > > > > > with
> > > > > > > > > > > > > the brokered identity
providers. Shall we add a
> > > > > > > > > > > > > similar
> > > > > > > > > > > > > flag
> > > > > > > > > > > > > for
> > > > > > > > > > > > > that
> > > > > > > > > > > > > ?
> > > > > > > > > > > > >
> > > > > > > > > > > > > I was also wondering
if the best would be a flag
> > > > > > > > > > > > > in
> > > > > > > > > > > > > a
> > > > > > > > > > > > > per
> > > > > > > > > > > > > provider
> > > > > > > > > > > > > basis.
> > > > > > > > > > > > > So we can
disable/enable a specific provider
> > > > > > > > > > > > > (social
> > > > > > > > > > > > > or
> > > > > > > > > > > > > brokered),
> > > > > > > > > > > > > instead of doing that
for all.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Regards.
> > > > > > > > > > > > > Pedro Igor
> > > > > > > > > > > > >
> > > > > > > > > > > > > ----- Original Message
-----
> > > > > > > > > > > > > From: "Pedro Igor
Silva" <psilva(a)redhat.com>
> > > > > > > > > > > > > To: "Stian
Thorgersen" <stian(a)redhat.com>
> > > > > > > > > > > > > Cc:
keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > > Sent: Tuesday, December
2, 2014 10:42:11 AM
> > > > > > > > > > > > > Subject: Re:
[keycloak-dev] Federated Identity and
> > > > > > > > > > > > > Authentication
> > > > > > > > > > > > > Broker
> > > > > > > > > > > > >
> > > > > > > > > > > > > ----- Original Message
-----
> > > > > > > > > > > > > > From: "Stian
Thorgersen" <stian(a)redhat.com>
> > > > > > > > > > > > > > To: "Pedro
Igor Silva" <psilva(a)redhat.com>
> > > > > > > > > > > > > > Cc:
keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > > > Sent: Tuesday,
December 2, 2014 10:23:24 AM
> > > > > > > > > > > > > > Subject: Re:
[keycloak-dev] Federated Identity
> > > > > > > > > > > > > > and
> > > > > > > > > > > > > > Authentication
> > > > > > > > > > > > > > Broker
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > ----- Original
Message -----
> > > > > > > > > > > > > > > From:
"Pedro Igor Silva" <psilva(a)redhat.com>
> > > > > > > > > > > > > > > To:
"Stian Thorgersen" <stian(a)redhat.com>
> > > > > > > > > > > > > > > Cc:
keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > > > > Sent: Tuesday,
2 December, 2014 1:13:08 PM
> > > > > > > > > > > > > > > Subject: Re:
[keycloak-dev] Federated Identity
> > > > > > > > > > > > > > > and
> > > > > > > > > > > > > > >
Authentication
> > > > > > > > > > > > > > > Broker
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > I'll go
for it then. Will remove the icon url
> > > > > > > > > > > > > > > from
> > > > > > > > > > > > > > > the
> > > > > > > > > > > > > > > model
> > > > > > > > > > > > > > > and
> > > > > > > > > > > > > > > leave
> > > > > > > > > > > > > > > that
> > > > > > > > > > > > > > > for users if
they want to provide icons for
> > > > > > > > > > > > > > > their
> > > > > > > > > > > > > > > identity
> > > > > > > > > > > > > > > providers.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > My point is
that icons can be usually served by
> > > > > > > > > > > > > > > the
> > > > > > > > > > > > > > > same
> > > > > > > > > > > > > > >
server/application
> > > > > > > > > > > > > > > or proxy, so
download images are not such a big
> > > > > > > > > > > > > > > deal.
> > > > > > > > > > > > > > > Also,
> > > > > > > > > > > > > > > the
> > > > > > > > > > > > > > > icon
> > > > > > > > > > > > > > > url
> > > > > > > > > > > > > > > is
> > > > > > > > > > > > > > > part of the
freemarker model and people can do
> > > > > > > > > > > > > > > what
> > > > > > > > > > > > > > > ever
> > > > > > > > > > > > > > > they
> > > > > > > > > > > > > > > want
> > > > > > > > > > > > > > > with
> > > > > > > > > > > > > > > it.
> > > > > > > > > > > > > > > What I think
will also help in your future
> > > > > > > > > > > > > > > plans.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > I'm not
following. Are you saying that if a named
> > > > > > > > > > > > > > image
> > > > > > > > > > > > > >
'my-provider.png'
> > > > > > > > > > > > > > is
> > > > > > > > > > > > > > loaded from a
theme, then you can override it in
> > > > > > > > > > > > > > another
> > > > > > > > > > > > > > theme?
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > If so, that's
basically the same as having a css
> > > > > > > > > > > > > > class
> > > > > > > > > > > > > >
'my-provider'
> > > > > > > > > > > > > > in
> > > > > > > > > > > > > > a
> > > > > > > > > > > > > > theme. With the
exception that with an image you
> > > > > > > > > > > > > > end
> > > > > > > > > > > > > > up
> > > > > > > > > > > > > > with
> > > > > > > > > > > > > > having
> > > > > > > > > > > > > > to
> > > > > > > > > > > > > > require a image per
provider per theme per
> > > > > > > > > > > > > > language,
> > > > > > > > > > > > > > which
> > > > > > > > > > > > > > could
> > > > > > > > > > > > > > be
> > > > > > > > > > > > > > a
> > > > > > > > > > > > > > lot
> > > > > > > > > > > > > > of
> > > > > > > > > > > > > > images for a single
provider. Also, buttons for
> > > > > > > > > > > > > > accessibility
> > > > > > > > > > > > > > should
> > > > > > > > > > > > > > be
> > > > > > > > > > > > > > defined with text
and css, not images that can't
> > > > > > > > > > > > > > be
> > > > > > > > > > > > > > interpreted.
> > > > > > > > > > > > > > You
> > > > > > > > > > > > > > also
> > > > > > > > > > > > > > still need to
modify the theme, so I don't see
> > > > > > > > > > > > > > any
> > > > > > > > > > > > > > benefits.
> > > > > > > > > > > > >
> > > > > > > > > > > > > You are right. Having a
icon url per provider does
> > > > > > > > > > > > > not
> > > > > > > > > > > > > makes
> > > > > > > > > > > > > sense
> > > > > > > > > > > > > if
> > > > > > > > > > > > > there
> > > > > > > > > > > > > are requirements to
change images accordingly to a
> > > > > > > > > > > > > theme
> > > > > > > > > > > > > or
> > > > > > > > > > > > > language.
> > > > > > > > > > > > > CSS
> > > > > > > > > > > > > makes life easier.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Will remove that
property from the model.
> > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > ----- Original
Message -----
> > > > > > > > > > > > > > > From:
"Stian Thorgersen" <stian(a)redhat.com>
> > > > > > > > > > > > > > > To:
"Pedro Igor Silva" <psilva(a)redhat.com>
> > > > > > > > > > > > > > > Cc:
keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > > > > Sent: Tuesday,
December 2, 2014 10:04:33 AM
> > > > > > > > > > > > > > > Subject: Re:
[keycloak-dev] Federated Identity
> > > > > > > > > > > > > > > and
> > > > > > > > > > > > > > >
Authentication
> > > > > > > > > > > > > > > Broker
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > ----- Original
Message -----
> > > > > > > > > > > > > > > > From:
"Pedro Igor Silva" <psilva(a)redhat.com>
> > > > > > > > > > > > > > > > To:
"Stian Thorgersen" <stian(a)redhat.com>
> > > > > > > > > > > > > > > > Cc:
keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > > > > > Sent:
Tuesday, 2 December, 2014 12:55:21 PM
> > > > > > > > > > > > > > > > Subject:
Re: [keycloak-dev] Federated
> > > > > > > > > > > > > > > > Identity
> > > > > > > > > > > > > > > > and
> > > > > > > > > > > > > > > >
Authentication
> > > > > > > > > > > > > > > > Broker
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Users can
now specify a Icon Url to be
> > > > > > > > > > > > > > > > rendered
> > > > > > > > > > > > > > > > on
> > > > > > > > > > > > > > > > the
> > > > > > > > > > > > > > > > login
> > > > > > > > > > > > > > > > page
> > > > > > > > > > > > > > > > when
> > > > > > > > > > > > > > > > social
> > > > > > > > > > > > > > > > or any
other identity provider is configured.
> > > > > > > > > > > > > > > > So
> > > > > > > > > > > > > > > > we
> > > > > > > > > > > > > > > > just
> > > > > > > > > > > > > > > > load
> > > > > > > > > > > > > > > > the
> > > > > > > > > > > > > > > > image
> > > > > > > > > > > > > > > > the
> > > > > > > > > > > > > > > > url
entered by the user.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Are you
saying that users should change the
> > > > > > > > > > > > > > > > theme
> > > > > > > > > > > > > > > > or
> > > > > > > > > > > > > > > >
customize
> > > > > > > > > > > > > > > > css
> > > > > > > > > > > > > > > > if
> > > > > > > > > > > > > > > > they
> > > > > > > > > > > > > > > > only want
to change an icon for a provider ?
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Yes,
there's many issues with having a icon
> > > > > > > > > > > > > > > url:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > * Won't
work for internationalization - we
> > > > > > > > > > > > > > > don't
> > > > > > > > > > > > > > > have
> > > > > > > > > > > > > > > this
> > > > > > > > > > > > > > > now,
> > > > > > > > > > > > > > > but
> > > > > > > > > > > > > > > we
> > > > > > > > > > > > > > > will
> > > > > > > > > > > > > > > * Image is not
a good button - CSS is much
> > > > > > > > > > > > > > > better
> > > > > > > > > > > > > > > * Doesn't
support themes - we allow users to
> > > > > > > > > > > > > > > switch
> > > > > > > > > > > > > > > l&f
> > > > > > > > > > > > > > > by
> > > > > > > > > > > > > > > switching
> > > > > > > > > > > > > > > themes,
> > > > > > > > > > > > > > > but that
won't work for a icon url. In the
> > > > > > > > > > > > > > > future
> > > > > > > > > > > > > > > we
> > > > > > > > > > > > > > > may
> > > > > > > > > > > > > > > also
> > > > > > > > > > > > > > > support
> > > > > > > > > > > > > > > multiple
themes per-realm, for example to
> > > > > > > > > > > > > > > depending
> > > > > > > > > > > > > > > on
> > > > > > > > > > > > > > > the
> > > > > > > > > > > > > > > devices
> > > > > > > > > > > > > > > (one
> > > > > > > > > > > > > > > theme for
mobiles, one for desktops, etc)
> > > > > > > > > > > > > > > * Requires the
URL to be hosted somewhere - why
> > > > > > > > > > > > > > > require
> > > > > > > > > > > > > > > a
> > > > > > > > > > > > > > > separate
> > > > > > > > > > > > > > > call
> > > > > > > > > > > > > > > to
> > > > > > > > > > > > > > > download an
image (to a separate server maybe)
> > > > > > > > > > > > > > > if
> > > > > > > > > > > > > > > it
> > > > > > > > > > > > > > > can
> > > > > > > > > > > > > > > simply
> > > > > > > > > > > > > > > be
> > > > > > > > > > > > > > > defined
> > > > > > > > > > > > > > > in a single
CSS file?
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Rather than
add additional places to define
> > > > > > > > > > > > > > > look
> > > > > > > > > > > > > > > and
> > > > > > > > > > > > > > > feel
> > > > > > > > > > > > > > > components
> > > > > > > > > > > > > > > we
> > > > > > > > > > > > > > > should in the
future make it easier to
> > > > > > > > > > > > > > > add/customize
> > > > > > > > > > > > > > > themes.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > -----
Original Message -----
> > > > > > > > > > > > > > > > From:
"Stian Thorgersen" <stian(a)redhat.com>
> > > > > > > > > > > > > > > > To:
"Pedro Igor Silva" <psilva(a)redhat.com>
> > > > > > > > > > > > > > > > Cc:
keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > > > > > Sent:
Tuesday, December 2, 2014 9:42:15 AM
> > > > > > > > > > > > > > > > Subject:
Re: [keycloak-dev] Federated
> > > > > > > > > > > > > > > > Identity
> > > > > > > > > > > > > > > > and
> > > > > > > > > > > > > > > >
Authentication
> > > > > > > > > > > > > > > > Broker
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > All look
and feel related things including
> > > > > > > > > > > > > > > > images
> > > > > > > > > > > > > > > > and
> > > > > > > > > > > > > > > >
stylesheets
> > > > > > > > > > > > > > > > should
> > > > > > > > > > > > > > > > be
> > > > > > > > > > > > > > > > part of
themes. This is to allow customizing
> > > > > > > > > > > > > > > > them
> > > > > > > > > > > > > > > > in
> > > > > > > > > > > > > > > > the
> > > > > > > > > > > > > > > > theme.
> > > > > > > > > > > > > > > > Also,
> > > > > > > > > > > > > > > > an
> > > > > > > > > > > > > > > > image is
not the correct way to render a
> > > > > > > > > > > > > > > > button,
> > > > > > > > > > > > > > > > it
> > > > > > > > > > > > > > > > should
> > > > > > > > > > > > > > > > be
> > > > > > > > > > > > > > > > defined
> > > > > > > > > > > > > > > > in
> > > > > > > > > > > > > > > > CSS.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > -----
Original Message -----
> > > > > > > > > > > > > > > > >
From: "Stian Thorgersen" <stian(a)redhat.com>
> > > > > > > > > > > > > > > > > To:
"Pedro Igor Silva" <psilva(a)redhat.com>
> > > > > > > > > > > > > > > > > Cc:
keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > > > > > >
Sent: Tuesday, 2 December, 2014 12:34:45 PM
> > > > > > > > > > > > > > > > >
Subject: Re: [keycloak-dev] Federated
> > > > > > > > > > > > > > > > >
Identity
> > > > > > > > > > > > > > > > > and
> > > > > > > > > > > > > > > > >
Authentication
> > > > > > > > > > > > > > > > >
Broker
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > You
shouldn't have icon images for social
> > > > > > > > > > > > > > > > >
providers.
> > > > > > > > > > > > > > > > >
They
> > > > > > > > > > > > > > > > >
should
> > > > > > > > > > > > > > > > > be
> > > > > > > > > > > > > > > > >
specified
> > > > > > > > > > > > > > > > > as
part of the theme in CSS as is now.
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
----- Original Message -----
> > > > > > > > > > > > > > > > > >
From: "Pedro Igor Silva"
> > > > > > > > > > > > > > > > > >
<psilva(a)redhat.com>
> > > > > > > > > > > > > > > > > >
To: "Bill Burke" <bburke(a)redhat.com>
> > > > > > > > > > > > > > > > > >
Cc: keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > > > > > > >
Sent: Tuesday, 2 December, 2014 12:22:21
> > > > > > > > > > > > > > > > > >
PM
> > > > > > > > > > > > > > > > > >
Subject: Re: [keycloak-dev] Federated
> > > > > > > > > > > > > > > > > >
Identity
> > > > > > > > > > > > > > > > > >
and
> > > > > > > > > > > > > > > > > >
Authentication
> > > > > > > > > > > > > > > > > >
Broker
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
Hi,
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
Anyone know where I can get the icons
> > > > > > > > > > > > > > > > > >
images
> > > > > > > > > > > > > > > > > >
for
> > > > > > > > > > > > > > > > > >
social
> > > > > > > > > > > > > > > > > >
providers
> > > > > > > > > > > > > > > > > >
?
> > > > > > > > > > > > > > > > > >
It
> > > > > > > > > > > > > > > > > >
seems zocial defines them encoded in
> > > > > > > > > > > > > > > > > >
some
> > > > > > > > > > > > > > > > > >
way
> > > > > > > > > > > > > > > > > >
in
> > > > > > > > > > > > > > > > > >
CSS.
> > > > > > > > > > > > > > > > > >
I
> > > > > > > > > > > > > > > > > >
need
> > > > > > > > > > > > > > > > > >
that
> > > > > > > > > > > > > > > > > >
to
> > > > > > > > > > > > > > > > > >
provide default images if user does
> > > > > > > > > > > > > > > > > >
not
> > > > > > > > > > > > > > > > > >
specify
> > > > > > > > > > > > > > > > > >
their
> > > > > > > > > > > > > > > > > >
own.
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
Or is still possible to use zocial
> > > > > > > > > > > > > > > > > >
ones
> > > > > > > > > > > > > > > > > >
?
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
Regards.
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
----- Original Message -----
> > > > > > > > > > > > > > > > > >
From: "Pedro Igor Silva"
> > > > > > > > > > > > > > > > > >
<psilva(a)redhat.com>
> > > > > > > > > > > > > > > > > >
To: "Bill Burke" <bburke(a)redhat.com>
> > > > > > > > > > > > > > > > > >
Cc: keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > > > > > > >
Sent: Thursday, November 27, 2014 9:01:38
> > > > > > > > > > > > > > > > > >
PM
> > > > > > > > > > > > > > > > > >
Subject: Re: [keycloak-dev] Federated
> > > > > > > > > > > > > > > > > >
Identity
> > > > > > > > > > > > > > > > > >
and
> > > > > > > > > > > > > > > > > >
Authentication
> > > > > > > > > > > > > > > > > >
Broker
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
Hi guys,
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
I've done some initial work covering
> > > > > > > > > > > > > > > > > >
both
> > > > > > > > > > > > > > > > > >
persistence
> > > > > > > > > > > > > > > > > >
and
> > > > > > > > > > > > > > > > > >
brokering.
> > > > > > > > > > > > > > > > > >
No
> > > > > > > > > > > > > > > > > >
UI, yet. I'm focused on the model,
> > > > > > > > > > > > > > > > > >
rest
> > > > > > > > > > > > > > > > > >
api
> > > > > > > > > > > > > > > > > >
and
> > > > > > > > > > > > > > > > > >
brokering
> > > > > > > > > > > > > > > > > >
functionality
> > > > > > > > > > > > > > > > > >
for now.
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
What I have is enough to decide if we
> > > > > > > > > > > > > > > > > >
are
> > > > > > > > > > > > > > > > > >
aligned
> > > > > > > > > > > > > > > > > >
about
> > > > > > > > > > > > > > > > > >
this
> > > > > > > > > > > > > > > > > >
functionality. So you can understand
> > > > > > > > > > > > > > > > > >
how
> > > > > > > > > > > > > > > > > >
the
> > > > > > > > > > > > > > > > > >
model
> > > > > > > > > > > > > > > > > >
(and
> > > > > > > > > > > > > > > > > >
persistence),
> > > > > > > > > > > > > > > > > >
rest api and brokering functionality
> > > > > > > > > > > > > > > > > >
looks
> > > > > > > > > > > > > > > > > >
like.
> > > > > > > > > > > > > > > > > >
Can
> > > > > > > > > > > > > > > > > >
we
> > > > > > > > > > > > > > > > > >
schedule
> > > > > > > > > > > > > > > > > >
a
> > > > > > > > > > > > > > > > > >
meeting ?
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
Btw, my branch is here [1].
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
[1]
> > > > > > > > > > > > > > > > > >
https://github.com/pedroigor/keycloak/tree/authentication-broker2
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
Regards.
> > > > > > > > > > > > > > > > > >
Pedro Igor
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
----- Original Message -----
> > > > > > > > > > > > > > > > > >
From: "Bill Burke" <bburke(a)redhat.com>
> > > > > > > > > > > > > > > > > >
To: keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > > > > > > >
Sent: Thursday, November 20, 2014 2:48:49
> > > > > > > > > > > > > > > > > >
PM
> > > > > > > > > > > > > > > > > >
Subject: Re: [keycloak-dev] Federated
> > > > > > > > > > > > > > > > > >
Identity
> > > > > > > > > > > > > > > > > >
and
> > > > > > > > > > > > > > > > > >
Authentication
> > > > > > > > > > > > > > > > > >
Broker
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
Currently adapters can only make authz
> > > > > > > > > > > > > > > > > >
decisions
> > > > > > > > > > > > > > > > > >
(@RolesAllowed)
> > > > > > > > > > > > > > > > > >
based
> > > > > > > > > > > > > > > > > >
on either realm roles or the roles of one
> > > > > > > > > > > > > > > > > >
specific
> > > > > > > > > > > > > > > > > >
application.
> > > > > > > > > > > > > > > > > >
This
> > > > > > > > > > > > > > > > > >
is
> > > > > > > > > > > > > > > > > >
related to 1) too.
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
On 11/20/2014 11:40 AM, Bolesław
> > > > > > > > > > > > > > > > > >
Dawidowicz
> > > > > > > > > > > > > > > > > >
wrote:
> > > > > > > > > > > > > > > > > >
> 1) Sounds like something definitely
> > > > > > > > > > > > > > > > > >
> worth
> > > > > > > > > > > > > > > > > >
> aiming
> > > > > > > > > > > > > > > > > >
> for.
> > > > > > > > > > > > > > > > > >
>
> > > > > > > > > > > > > > > > > >
> On 11/20/2014 09:55 AM, Stian
> > > > > > > > > > > > > > > > > >
> Thorgersen
> > > > > > > > > > > > > > > > > >
> wrote:
> > > > > > > > > > > > > > > > > >
>> I just wanted to quickly list the
> > > > > > > > > > > > > > > > > >
>> additional
> > > > > > > > > > > > > > > > > >
>> work
> > > > > > > > > > > > > > > > > >
>> we
> > > > > > > > > > > > > > > > > >
>> discussed
> > > > > > > > > > > > > > > > > >
>> so
> > > > > > > > > > > > > > > > > >
>> everyone
> > > > > > > > > > > > > > > > > >
>> can think about it (in no particular
> > > > > > > > > > > > > > > > > >
>> order):
> > > > > > > > > > > > > > > > > >
>>
> > > > > > > > > > > > > > > > > >
>> 1) Mapping of tokens - how do we deal
> > > > > > > > > > > > > > > > > >
>> with
> > > > > > > > > > > > > > > > > >
>> mapping
> > > > > > > > > > > > > > > > > >
>> of
> > > > > > > > > > > > > > > > > >
>> an
> > > > > > > > > > > > > > > > > >
>> external
> > > > > > > > > > > > > > > > > >
>> token
> > > > > > > > > > > > > > > > > >
>> to
> > > > > > > > > > > > > > > > > >
>> a KC token? For example an external
> > > > > > > > > > > > > > > > > >
>> token
> > > > > > > > > > > > > > > > > >
>> with
> > > > > > > > > > > > > > > > > >
>> attribute
> > > > > > > > > > > > > > > > > >
>> 'group'
> > > > > > > > > > > > > > > > > >
>> that
> > > > > > > > > > > > > > > > > >
>> contains 'sales' and 'manager' could
> > > > > > > > > > > > > > > > > >
>> be
> > > > > > > > > > > > > > > > > >
>> mapped
> > > > > > > > > > > > > > > > > >
>> to
> > > > > > > > > > > > > > > > > >
>> 'manager'
> > > > > > > > > > > > > > > > > >
>> role
> > > > > > > > > > > > > > > > > >
>> for
> > > > > > > > > > > > > > > > > >
>> 'sales app in a KC token. Could we use
> > > > > > > > > > > > > > > > > >
>> Drools?
> > > > > > > > > > > > > > > > > >
>> This
> > > > > > > > > > > > > > > > > >
>> could
> > > > > > > > > > > > > > > > > >
>> also
> > > > > > > > > > > > > > > > > >
>> be
> > > > > > > > > > > > > > > > > >
>> used
> > > > > > > > > > > > > > > > > >
>> in
> > > > > > > > > > > > > > > > > >
>> user federation to allow more complex
> > > > > > > > > > > > > > > > > >
>> mapping
> > > > > > > > > > > > > > > > > >
>> of
> > > > > > > > > > > > > > > > > >
>> roles/groups
> > > > > > > > > > > > > > > > > >
>> than
> > > > > > > > > > > > > > > > > >
>> a
> > > > > > > > > > > > > > > > > >
>> simple 1-1
> > > > > > > > > > > > > > > > > >
>> 2) Retrieving tokens - if an
> > > > > > > > > > > > > > > > > >
>> application
> > > > > > > > > > > > > > > > > >
>> wants
> > > > > > > > > > > > > > > > > >
>> to
> > > > > > > > > > > > > > > > > >
>> retrieve
> > > > > > > > > > > > > > > > > >
>> the
> > > > > > > > > > > > > > > > > >
>> external
> > > > > > > > > > > > > > > > > >
>> token (for example to view Facebook
> > > > > > > > > > > > > > > > > >
>> friends
> > > > > > > > > > > > > > > > > >
>> if
> > > > > > > > > > > > > > > > > >
>> user
> > > > > > > > > > > > > > > > > >
>> logged
> > > > > > > > > > > > > > > > > >
>> in
> > > > > > > > > > > > > > > > > >
>> with
> > > > > > > > > > > > > > > > > >
>> Facebook)
> > > > > > > > > > > > > > > > > >
>> 3) Configure scope - currently for
> > > > > > > > > > > > > > > > > >
>> social
> > > > > > > > > > > > > > > > > >
>> we
> > > > > > > > > > > > > > > > > >
>> only
> > > > > > > > > > > > > > > > > >
>> request
> > > > > > > > > > > > > > > > > >
>> a
> > > > > > > > > > > > > > > > > >
>> very
> > > > > > > > > > > > > > > > > >
>> limited
> > > > > > > > > > > > > > > > > >
>> scope (basic profile and email), to
> > > > > > > > > > > > > > > > > >
>> for
> > > > > > > > > > > > > > > > > >
>> example
> > > > > > > > > > > > > > > > > >
>> view
> > > > > > > > > > > > > > > > > >
>> Facebook
> > > > > > > > > > > > > > > > > >
>> friends
> > > > > > > > > > > > > > > > > >
>> we'd need to ask for that as well
> > > > > > > > > > > > > > > > > >
>> 4) Selecting provider - currently in
> > > > > > > > > > > > > > > > > >
>> social
> > > > > > > > > > > > > > > > > >
>> (and
> > > > > > > > > > > > > > > > > >
>> for
> > > > > > > > > > > > > > > > > >
>> first
> > > > > > > > > > > > > > > > > >
>> pass
> > > > > > > > > > > > > > > > > >
>> of
> > > > > > > > > > > > > > > > > >
>> brokering) we have an icon user has to
> > > > > > > > > > > > > > > > > >
>> select,
> > > > > > > > > > > > > > > > > >
>> but
> > > > > > > > > > > > > > > > > >
>> can
> > > > > > > > > > > > > > > > > >
>> we
> > > > > > > > > > > > > > > > > >
>> select
> > > > > > > > > > > > > > > > > >
>> the
> > > > > > > > > > > > > > > > > >
>> provider in a different way (for
> > > > > > > > > > > > > > > > > >
>> example
> > > > > > > > > > > > > > > > > >
>> ask
> > > > > > > > > > > > > > > > > >
>> user
> > > > > > > > > > > > > > > > > >
>> for
> > > > > > > > > > > > > > > > > >
>> email,
> > > > > > > > > > > > > > > > > >
>> and
> > > > > > > > > > > > > > > > > >
>> select
> > > > > > > > > > > > > > > > > >
>> based on email domain)
> > > > > > > > > > > > > > > > > >
>> 5) Gateway - don't create a KC token,
> > > > > > > > > > > > > > > > > >
>> but
> > > > > > > > > > > > > > > > > >
>> just
> > > > > > > > > > > > > > > > > >
>> forward
> > > > > > > > > > > > > > > > > >
>> the
> > > > > > > > > > > > > > > > > >
>> external
> > > > > > > > > > > > > > > > > >
>> token
> > > > > > > > > > > > > > > > > >
>>
> > > > > > > > > > > > > > > > > >
>> IMO 1) is a killer feature, as it
> > > > > > > > > > > > > > > > > >
>> would
> > > > > > > > > > > > > > > > > >
>> allow
> > > > > > > > > > > > > > > > > >
>> companies
> > > > > > > > > > > > > > > > > >
>> to
> > > > > > > > > > > > > > > > > >
>> add
> > > > > > > > > > > > > > > > > >
>> external
> > > > > > > > > > > > > > > > > >
>> users without having to modify their
> > > > > > > > > > > > > > > > > >
>> applications.
> > > > > > > > > > > > > > > > > >
>> Issue
> > > > > > > > > > > > > > > > > >
>> with
> > > > > > > > > > > > > > > > > >
>> 5)
> > > > > > > > > > > > > > > > > >
>> is
> > > > > > > > > > > > > > > > > >
>> that
> > > > > > > > > > > > > > > > > >
>> applications need to understand more
> > > > > > > > > > > > > > > > > >
>> than
> > > > > > > > > > > > > > > > > >
>> one
> > > > > > > > > > > > > > > > > >
>> token,
> > > > > > > > > > > > > > > > > >
>> which
> > > > > > > > > > > > > > > > > >
>> would
> > > > > > > > > > > > > > > > > >
>> require
> > > > > > > > > > > > > > > > > >
>> rewriting applications.
> > > > > > > > > > > > > > > > > >
>>
> > > > > > > > > > > > > > > > > >
>> This work is also somewhat related to
> > > > > > > > > > > > > > > > > >
>> other
> > > > > > > > > > > > > > > > > >
>> authentication
> > > > > > > > > > > > > > > > > >
>> mechanisms
> > > > > > > > > > > > > > > > > >
>> (for
> > > > > > > > > > > > > > > > > >
>> example Kerberos ticket, LDAP and
> > > > > > > > > > > > > > > > > >
>> passwordless).
> > > > > > > > > > > > > > > > > >
>>
> > > > > > > > > > > > > > > > > >
>> ----- Original Message -----
> > > > > > > > > > > > > > > > > >
>>> From: "Pedro Igor Silva"
> > > > > > > > > > > > > > > > > >
>>> <psilva(a)redhat.com>
> > > > > > > > > > > > > > > > > >
>>> To: "Bill Burke" <bburke(a)redhat.com>
> > > > > > > > > > > > > > > > > >
>>> Cc: keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > > > > > > >
>>> Sent: Wednesday, 19 November, 2014
> > > > > > > > > > > > > > > > > >
>>> 8:27:58
> > > > > > > > > > > > > > > > > >
>>> PM
> > > > > > > > > > > > > > > > > >
>>> Subject: Re: [keycloak-dev] Federated
> > > > > > > > > > > > > > > > > >
>>> Identity
> > > > > > > > > > > > > > > > > >
>>> and
> > > > > > > > > > > > > > > > > >
>>> Authentication
> > > > > > > > > > > > > > > > > >
>>> Broker
> > > > > > > > > > > > > > > > > >
>>>
> > > > > > > > > > > > > > > > > >
>>> ----- Original Message -----
> > > > > > > > > > > > > > > > > >
>>>> From: "Bill Burke"
> > > > > > > > > > > > > > > > > >
>>>> <bburke(a)redhat.com>
> > > > > > > > > > > > > > > > > >
>>>> To: keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > > > > > > >
>>>> Sent: Wednesday, November 19, 2014
> > > > > > > > > > > > > > > > > >
>>>> 4:39:52
> > > > > > > > > > > > > > > > > >
>>>> PM
> > > > > > > > > > > > > > > > > >
>>>> Subject: Re: [keycloak-dev]
> > > > > > > > > > > > > > > > > >
>>>> Federated
> > > > > > > > > > > > > > > > > >
>>>> Identity
> > > > > > > > > > > > > > > > > >
>>>> and
> > > > > > > > > > > > > > > > > >
>>>> Authentication
> > > > > > > > > > > > > > > > > >
>>>> Broker
> > > > > > > > > > > > > > > > > >
>>>>
> > > > > > > > > > > > > > > > > >
>>>>
> > > > > > > > > > > > > > > > > >
>>>>
> > > > > > > > > > > > > > > > > >
>>>> On 11/19/2014 1:22 PM, Pedro Igor
> > > > > > > > > > > > > > > > > >
>>>> Silva
> > > > > > > > > > > > > > > > > >
>>>> wrote:
> > > > > > > > > > > > > > > > > >
>>>>> Hi,
> > > > > > > > > > > > > > > > > >
>>>>>
> > > > > > > > > > > > > > > > > >
>>>>> Would like to start a
> > > > > > > > > > > > > > > > > >
>>>>> discussion
> > > > > > > > > > > > > > > > > >
>>>>> about
> > > > > > > > > > > > > > > > > >
>>>>> how
> > > > > > > > > > > > > > > > > >
>>>>> to
> > > > > > > > > > > > > > > > > >
>>>>> enable
> > > > > > > > > > > > > > > > > >
>>>>> KC
> > > > > > > > > > > > > > > > > >
>>>>> as
> > > > > > > > > > > > > > > > > >
>>>>> an
> > > > > > > > > > > > > > > > > >
>>>>> Authentication Broker in
> > > > > > > > > > > > > > > > > >
>>>>> order
> > > > > > > > > > > > > > > > > >
>>>>> to
> > > > > > > > > > > > > > > > > >
>>>>> supported
> > > > > > > > > > > > > > > > > >
>>>>> Chained
> > > > > > > > > > > > > > > > > >
>>>>> Federation
> > > > > > > > > > > > > > > > > >
>>>>> and
> > > > > > > > > > > > > > > > > >
>>>>> also Identity Federation.
> > > > > > > > > > > > > > > > > >
>>>>> First
> > > > > > > > > > > > > > > > > >
>>>>> of
> > > > > > > > > > > > > > > > > >
>>>>> all,
> > > > > > > > > > > > > > > > > >
>>>>> some
> > > > > > > > > > > > > > > > > >
>>>>> background
> > > > > > > > > > > > > > > > > >
>>>>> about
> > > > > > > > > > > > > > > > > >
>>>>> what
> > > > > > > > > > > > > > > > > >
>>>>> this is all about.
> > > > > > > > > > > > > > > > > >
>>>>>
> > > > > > > > > > > > > > > > > >
>>>>> Currently KeyCloak provides
> > > > > > > > > > > > > > > > > >
>>>>> two
> > > > > > > > > > > > > > > > > >
>>>>> basic
> > > > > > > > > > > > > > > > > >
>>>>> types
> > > > > > > > > > > > > > > > > >
>>>>> of
> > > > > > > > > > > > > > > > > >
>>>>> authentication
> > > > > > > > > > > > > > > > > >
>>>>> (correct
> > > > > > > > > > > > > > > > > >
>>>>> me if I'm wrong, please):
> > > > > > > > > > > > > > > > > >
>>>>>
> > > > > > > > > > > > > > > > > >
>>>>> 1) Local authentication
> > > > > > > > > > > > > > > > > >
>>>>> (based
> > > > > > > > > > > > > > > > > >
>>>>> on
> > > > > > > > > > > > > > > > > >
>>>>> some
> > > > > > > > > > > > > > > > > >
>>>>> credential
> > > > > > > > > > > > > > > > > >
>>>>> type
> > > > > > > > > > > > > > > > > >
>>>>> enabled
> > > > > > > > > > > > > > > > > >
>>>>> to
> > > > > > > > > > > > > > > > > >
>>>>> a realm)
> > > > > > > > > > > > > > > > > >
>>>>> 2) Social authentication
> > > > > > > > > > > > > > > > > >
>>>>>
> > > > > > > > > > > > > > > > > >
>>>>> Local authentication is
> > > > > > > > > > > > > > > > > >
>>>>> about
> > > > > > > > > > > > > > > > > >
>>>>> authenticating
> > > > > > > > > > > > > > > > > >
>>>>> the
> > > > > > > > > > > > > > > > > >
>>>>> user
> > > > > > > > > > > > > > > > > >
>>>>> locally
> > > > > > > > > > > > > > > > > >
>>>>> using
> > > > > > > > > > > > > > > > > >
>>>>> KC's own identity store.
> > > > > > > > > > > > > > > > > >
>>>>> Nothing
> > > > > > > > > > > > > > > > > >
>>>>> special
> > > > > > > > > > > > > > > > > >
>>>>> here.
> > > > > > > > > > > > > > > > > >
>>>>> And
> > > > > > > > > > > > > > > > > >
>>>>> Social
> > > > > > > > > > > > > > > > > >
>>>>> Authentication which allows
> > > > > > > > > > > > > > > > > >
>>>>> users
> > > > > > > > > > > > > > > > > >
>>>>> to
> > > > > > > > > > > > > > > > > >
>>>>> choose
> > > > > > > > > > > > > > > > > >
>>>>> the
> > > > > > > > > > > > > > > > > >
>>>>> Social
> > > > > > > > > > > > > > > > > >
>>>>> IdP
> > > > > > > > > > > > > > > > > >
>>>>> they
> > > > > > > > > > > > > > > > > >
>>>>> want
> > > > > > > > > > > > > > > > > >
>>>>> to authenticate with. In
> > > > > > > > > > > > > > > > > >
>>>>> this
> > > > > > > > > > > > > > > > > >
>>>>> case,
> > > > > > > > > > > > > > > > > >
>>>>> the
> > > > > > > > > > > > > > > > > >
>>>>> IdP
> > > > > > > > > > > > > > > > > >
>>>>> is
> > > > > > > > > > > > > > > > > >
>>>>> always
> > > > > > > > > > > > > > > > > >
>>>>> one
> > > > > > > > > > > > > > > > > >
>>>>> of
> > > > > > > > > > > > > > > > > >
>>>>> the
> > > > > > > > > > > > > > > > > >
>>>>> built-in social providers
> > > > > > > > > > > > > > > > > >
>>>>> supported
> > > > > > > > > > > > > > > > > >
>>>>> by
> > > > > > > > > > > > > > > > > >
>>>>> KC
> > > > > > > > > > > > > > > > > >
>>>>> such
> > > > > > > > > > > > > > > > > >
>>>>> as
> > > > > > > > > > > > > > > > > >
>>>>> Facebook,
> > > > > > > > > > > > > > > > > >
>>>>> Google,
> > > > > > > > > > > > > > > > > >
>>>>> Twitter, Github and so
> > > > > > > > > > > > > > > > > >
>>>>> forth.
> > > > > > > > > > > > > > > > > >
>>>>>
> > > > > > > > > > > > > > > > > >
>>>>> When doing social, the user
> > > > > > > > > > > > > > > > > >
>>>>> is
> > > > > > > > > > > > > > > > > >
>>>>> automatically
> > > > > > > > > > > > > > > > > >
>>>>> provisioned
> > > > > > > > > > > > > > > > > >
>>>>> in
> > > > > > > > > > > > > > > > > >
>>>>> KC
> > > > > > > > > > > > > > > > > >
>>>>> identity store after a
> > > > > > > > > > > > > > > > > >
>>>>> successful
> > > > > > > > > > > > > > > > > >
>>>>> authentication.
> > > > > > > > > > > > > > > > > >
>>>>> The
> > > > > > > > > > > > > > > > > >
>>>>> user
> > > > > > > > > > > > > > > > > >
>>>>> does
> > > > > > > > > > > > > > > > > >
>>>>> not
> > > > > > > > > > > > > > > > > >
>>>>> need to fill a registration
> > > > > > > > > > > > > > > > > >
>>>>> form
> > > > > > > > > > > > > > > > > >
>>>>> and
> > > > > > > > > > > > > > > > > >
>>>>> can
> > > > > > > > > > > > > > > > > >
>>>>> access
> > > > > > > > > > > > > > > > > >
>>>>> the
> > > > > > > > > > > > > > > > > >
>>>>> application
> > > > > > > > > > > > > > > > > >
>>>>> very
> > > > > > > > > > > > > > > > > >
>>>>> quickly. During the
> > > > > > > > > > > > > > > > > >
>>>>> provisioning
> > > > > > > > > > > > > > > > > >
>>>>> some
> > > > > > > > > > > > > > > > > >
>>>>> basic
> > > > > > > > > > > > > > > > > >
>>>>> information
> > > > > > > > > > > > > > > > > >
>>>>> is
> > > > > > > > > > > > > > > > > >
>>>>> retrieved
> > > > > > > > > > > > > > > > > >
>>>>> from the social provider
> > > > > > > > > > > > > > > > > >
>>>>> such
> > > > > > > > > > > > > > > > > >
>>>>> as
> > > > > > > > > > > > > > > > > >
>>>>> email,
> > > > > > > > > > > > > > > > > >
>>>>> firstname
> > > > > > > > > > > > > > > > > >
>>>>> and
> > > > > > > > > > > > > > > > > >
>>>>> so
> > > > > > > > > > > > > > > > > >
>>>>> forth.
> > > > > > > > > > > > > > > > > >
>>>>> These
> > > > > > > > > > > > > > > > > >
>>>>> are very basic information,
> > > > > > > > > > > > > > > > > >
>>>>> any
> > > > > > > > > > > > > > > > > >
>>>>> other
> > > > > > > > > > > > > > > > > >
>>>>> information
> > > > > > > > > > > > > > > > > >
>>>>> such
> > > > > > > > > > > > > > > > > >
>>>>> as
> > > > > > > > > > > > > > > > > >
>>>>> those
> > > > > > > > > > > > > > > > > >
>>>>> related with authorization
> > > > > > > > > > > > > > > > > >
>>>>> policies
> > > > > > > > > > > > > > > > > >
>>>>> -
> > > > > > > > > > > > > > > > > >
>>>>> eg.:
> > > > > > > > > > > > > > > > > >
>>>>> roles
> > > > > > > > > > > > > > > > > >
>>>>> and
> > > > > > > > > > > > > > > > > >
>>>>> groups
> > > > > > > > > > > > > > > > > >
>>>>> -
> > > > > > > > > > > > > > > > > >
>>>>> must
> > > > > > > > > > > > > > > > > >
>>>>> be
> > > > > > > > > > > > > > > > > >
>>>>> defined later via KC's admin
> > > > > > > > > > > > > > > > > >
>>>>> console.
> > > > > > > > > > > > > > > > > >
>>>>>
> > > > > > > > > > > > > > > > > >
>>>>> Another important
> > > > > > > > > > > > > > > > > >
>>>>> characteristic
> > > > > > > > > > > > > > > > > >
>>>>> of
> > > > > > > > > > > > > > > > > >
>>>>> social
> > > > > > > > > > > > > > > > > >
>>>>> authentication
> > > > > > > > > > > > > > > > > >
>>>>> is
> > > > > > > > > > > > > > > > > >
>>>>> that
> > > > > > > > > > > > > > > > > >
>>>>> the
> > > > > > > > > > > > > > > > > >
>>>>> application receives a KC
> > > > > > > > > > > > > > > > > >
>>>>> token
> > > > > > > > > > > > > > > > > >
>>>>> and
> > > > > > > > > > > > > > > > > >
>>>>> not
> > > > > > > > > > > > > > > > > >
>>>>> the
> > > > > > > > > > > > > > > > > >
>>>>> token
> > > > > > > > > > > > > > > > > >
>>>>> that
> > > > > > > > > > > > > > > > > >
>>>>> was
> > > > > > > > > > > > > > > > > >
>>>>> issued by
> > > > > > > > > > > > > > > > > >
>>>>> the social IdP during the
> > > > > > > > > > > > > > > > > >
>>>>> authentication
> > > > > > > > > > > > > > > > > >
>>>>> process.
> > > > > > > > > > > > > > > > > >
>>>>> If
> > > > > > > > > > > > > > > > > >
>>>>> the
> > > > > > > > > > > > > > > > > >
>>>>> application
> > > > > > > > > > > > > > > > > >
>>>>> wants to consume resources
> > > > > > > > > > > > > > > > > >
>>>>> from
> > > > > > > > > > > > > > > > > >
>>>>> the
> > > > > > > > > > > > > > > > > >
>>>>> resource
> > > > > > > > > > > > > > > > > >
>>>>> provider
> > > > > > > > > > > > > > > > > >
>>>>> he
> > > > > > > > > > > > > > > > > >
>>>>> was
> > > > > > > > > > > > > > > > > >
>>>>> authenticated it must obtain
> > > > > > > > > > > > > > > > > >
>>>>> the
> > > > > > > > > > > > > > > > > >
>>>>> access
> > > > > > > > > > > > > > > > > >
>>>>> token(again)
> > > > > > > > > > > > > > > > > >
>>>>> by
> > > > > > > > > > > > > > > > > >
>>>>> itself
> > > > > > > > > > > > > > > > > >
>>>>> prior
> > > > > > > > > > > > > > > > > >
>>>>> to invoke the resource
> > > > > > > > > > > > > > > > > >
>>>>> provider
> > > > > > > > > > > > > > > > > >
>>>>> API.
> > > > > > > > > > > > > > > > > >
>>>>> Assuming
> > > > > > > > > > > > > > > > > >
>>>>> all
> > > > > > > > > > > > > > > > > >
>>>>> those
> > > > > > > > > > > > > > > > > >
>>>>> social
> > > > > > > > > > > > > > > > > >
>>>>> providers are based on oAuth
> > > > > > > > > > > > > > > > > >
>>>>> 1.0
> > > > > > > > > > > > > > > > > >
>>>>> or
> > > > > > > > > > > > > > > > > >
>>>>> 2.0.
> > > > > > > > > > > > > > > > > >
>>>>>
> > > > > > > > > > > > > > > > > >
>>>>> That said, the
> > > > > > > > > > > > > > > > > >
>>>>> Authentication
> > > > > > > > > > > > > > > > > >
>>>>> Broker
> > > > > > > > > > > > > > > > > >
>>>>> functionality
> > > > > > > > > > > > > > > > > >
>>>>> aims
> > > > > > > > > > > > > > > > > >
>>>>> to
> > > > > > > > > > > > > > > > > >
>>>>> cover
> > > > > > > > > > > > > > > > > >
>>>>> the
> > > > > > > > > > > > > > > > > >
>>>>> same use cases but with a
> > > > > > > > > > > > > > > > > >
>>>>> lot
> > > > > > > > > > > > > > > > > >
>>>>> of
> > > > > > > > > > > > > > > > > >
>>>>> more
> > > > > > > > > > > > > > > > > >
>>>>> flexibility
> > > > > > > > > > > > > > > > > >
>>>>> on
> > > > > > > > > > > > > > > > > >
>>>>> how
> > > > > > > > > > > > > > > > > >
>>>>> you
> > > > > > > > > > > > > > > > > >
>>>>> setup
> > > > > > > > > > > > > > > > > >
>>>>> identity providers(not only
> > > > > > > > > > > > > > > > > >
>>>>> social
> > > > > > > > > > > > > > > > > >
>>>>> ones)
> > > > > > > > > > > > > > > > > >
>>>>> and
> > > > > > > > > > > > > > > > > >
>>>>> the
> > > > > > > > > > > > > > > > > >
>>>>> different
> > > > > > > > > > > > > > > > > >
>>>>> federation
> > > > > > > > > > > > > > > > > >
>>>>> protocols they may support
> > > > > > > > > > > > > > > > > >
>>>>> such
> > > > > > > > > > > > > > > > > >
>>>>> as
> > > > > > > > > > > > > > > > > >
>>>>> SAML,
> > > > > > > > > > > > > > > > > >
>>>>> OpenID,
> > > > > > > > > > > > > > > > > >
>>>>> oAuth
> > > > > > > > > > > > > > > > > >
>>>>> and
> > > > > > > > > > > > > > > > > >
>>>>> so
> > > > > > > > > > > > > > > > > >
>>>>> forth.
> > > > > > > > > > > > > > > > > >
>>>>> This is useful when an
> > > > > > > > > > > > > > > > > >
>>>>> enterprise
> > > > > > > > > > > > > > > > > >
>>>>> is
> > > > > > > > > > > > > > > > > >
>>>>> providing
> > > > > > > > > > > > > > > > > >
>>>>> services
> > > > > > > > > > > > > > > > > >
>>>>> to
> > > > > > > > > > > > > > > > > >
>>>>> different
> > > > > > > > > > > > > > > > > >
>>>>> customers(IdP) and does not
> > > > > > > > > > > > > > > > > >
>>>>> want
> > > > > > > > > > > > > > > > > >
>>>>> to
> > > > > > > > > > > > > > > > > >
>>>>> manage
> > > > > > > > > > > > > > > > > >
>>>>> many
> > > > > > > > > > > > > > > > > >
>>>>> to
> > > > > > > > > > > > > > > > > >
>>>>> many
> > > > > > > > > > > > > > > > > >
>>>>> relationships. When using a
> > > > > > > > > > > > > > > > > >
>>>>> broker,
> > > > > > > > > > > > > > > > > >
>>>>> the
> > > > > > > > > > > > > > > > > >
>>>>> authentication
> > > > > > > > > > > > > > > > > >
>>>>> steps
> > > > > > > > > > > > > > > > > >
>>>>> are
> > > > > > > > > > > > > > > > > >
>>>>> pretty much the same when
> > > > > > > > > > > > > > > > > >
>>>>> you
> > > > > > > > > > > > > > > > > >
>>>>> are
> > > > > > > > > > > > > > > > > >
>>>>> using
> > > > > > > > > > > > > > > > > >
>>>>> social
> > > > > > > > > > > > > > > > > >
>>>>> authentication,
> > > > > > > > > > > > > > > > > >
>>>>> with
> > > > > > > > > > > > > > > > > >
>>>>> important differences on how
> > > > > > > > > > > > > > > > > >
>>>>> you
> > > > > > > > > > > > > > > > > >
>>>>> support
> > > > > > > > > > > > > > > > > >
>>>>> different
> > > > > > > > > > > > > > > > > >
>>>>> identity
> > > > > > > > > > > > > > > > > >
>>>>> providers, different
> > > > > > > > > > > > > > > > > >
>>>>> federation
> > > > > > > > > > > > > > > > > >
>>>>> protocols,
> > > > > > > > > > > > > > > > > >
>>>>> how
> > > > > > > > > > > > > > > > > >
>>>>> users
> > > > > > > > > > > > > > > > > >
>>>>> are
> > > > > > > > > > > > > > > > > >
>>>>> provisioned
> > > > > > > > > > > > > > > > > >
>>>>> and how claims and
> > > > > > > > > > > > > > > > > >
>>>>> attributes
> > > > > > > > > > > > > > > > > >
>>>>> are
> > > > > > > > > > > > > > > > > >
>>>>> resolved.
> > > > > > > > > > > > > > > > > >
>>>>>
> > > > > > > > > > > > > > > > > >
>>>>> The brokering functionality
> > > > > > > > > > > > > > > > > >
>>>>> can
> > > > > > > > > > > > > > > > > >
>>>>> be
> > > > > > > > > > > > > > > > > >
>>>>> done
> > > > > > > > > > > > > > > > > >
>>>>> in
> > > > > > > > > > > > > > > > > >
>>>>> two
> > > > > > > > > > > > > > > > > >
>>>>> ways
> > > > > > > > > > > > > > > > > >
>>>>> depending
> > > > > > > > > > > > > > > > > >
>>>>> if
> > > > > > > > > > > > > > > > > >
>>>>> the
> > > > > > > > > > > > > > > > > >
>>>>> broker service is acting as
> > > > > > > > > > > > > > > > > >
>>>>> a
> > > > > > > > > > > > > > > > > >
>>>>> gateway
> > > > > > > > > > > > > > > > > >
>>>>> or
> > > > > > > > > > > > > > > > > >
>>>>> not.
> > > > > > > > > > > > > > > > > >
>>>>> When
> > > > > > > > > > > > > > > > > >
>>>>> acting
> > > > > > > > > > > > > > > > > >
>>>>> as
> > > > > > > > > > > > > > > > > >
>>>>> a
> > > > > > > > > > > > > > > > > >
>>>>> gateway, the broker will
> > > > > > > > > > > > > > > > > >
>>>>> respond
> > > > > > > > > > > > > > > > > >
>>>>> to
> > > > > > > > > > > > > > > > > >
>>>>> the
> > > > > > > > > > > > > > > > > >
>>>>> application
> > > > > > > > > > > > > > > > > >
>>>>> the
> > > > > > > > > > > > > > > > > >
>>>>> same
> > > > > > > > > > > > > > > > > >
>>>>> token
> > > > > > > > > > > > > > > > > >
>>>>> issued by the trusted
> > > > > > > > > > > > > > > > > >
>>>>> identity
> > > > > > > > > > > > > > > > > >
>>>>> provider.
> > > > > > > > > > > > > > > > > >
>>>>> For
> > > > > > > > > > > > > > > > > >
>>>>> instance,
> > > > > > > > > > > > > > > > > >
>>>>> if
> > > > > > > > > > > > > > > > > >
>>>>> the
> > > > > > > > > > > > > > > > > >
>>>>> user
> > > > > > > > > > > > > > > > > >
>>>>> selects a SAML IdP to
> > > > > > > > > > > > > > > > > >
>>>>> authenticate
> > > > > > > > > > > > > > > > > >
>>>>> with,
> > > > > > > > > > > > > > > > > >
>>>>> the
> > > > > > > > > > > > > > > > > >
>>>>> application
> > > > > > > > > > > > > > > > > >
>>>>> will
> > > > > > > > > > > > > > > > > >
>>>>> receive
> > > > > > > > > > > > > > > > > >
>>>>> a SAML Response. In this
> > > > > > > > > > > > > > > > > >
>>>>> case,
> > > > > > > > > > > > > > > > > >
>>>>> the
> > > > > > > > > > > > > > > > > >
>>>>> application
> > > > > > > > > > > > > > > > > >
>>>>> must
> > > > > > > > > > > > > > > > > >
>>>>> also
> > > > > > > > > > > > > > > > > >
>>>>> be
> > > > > > > > > > > > > > > > > >
>>>>> prepared
> > > > > > > > > > > > > > > > > >
>>>>> to handle a specific
> > > > > > > > > > > > > > > > > >
>>>>> federation
> > > > > > > > > > > > > > > > > >
>>>>> protocol.
> > > > > > > > > > > > > > > > > >
>>>>>
> > > > > > > > > > > > > > > > > >
>>>>> However, the broker service
> > > > > > > > > > > > > > > > > >
>>>>> can
> > > > > > > > > > > > > > > > > >
>>>>> also
> > > > > > > > > > > > > > > > > >
>>>>> be
> > > > > > > > > > > > > > > > > >
>>>>> used
> > > > > > > > > > > > > > > > > >
>>>>> to
> > > > > > > > > > > > > > > > > >
>>>>> completely
> > > > > > > > > > > > > > > > > >
>>>>> abstract
> > > > > > > > > > > > > > > > > >
>>>>> from the application the
> > > > > > > > > > > > > > > > > >
>>>>> protocol
> > > > > > > > > > > > > > > > > >
>>>>> used
> > > > > > > > > > > > > > > > > >
>>>>> to
> > > > > > > > > > > > > > > > > >
>>>>> authenticate
> > > > > > > > > > > > > > > > > >
>>>>> an
> > > > > > > > > > > > > > > > > >
>>>>> user.
> > > > > > > > > > > > > > > > > >
>>>>> In
> > > > > > > > > > > > > > > > > >
>>>>> this case, the application
> > > > > > > > > > > > > > > > > >
>>>>> will
> > > > > > > > > > > > > > > > > >
>>>>> just
> > > > > > > > > > > > > > > > > >
>>>>> receive
> > > > > > > > > > > > > > > > > >
>>>>> an
> > > > > > > > > > > > > > > > > >
>>>>> ordinary
> > > > > > > > > > > > > > > > > >
>>>>> KC
> > > > > > > > > > > > > > > > > >
>>>>> token
> > > > > > > > > > > > > > > > > >
>>>>> after a successful
> > > > > > > > > > > > > > > > > >
>>>>> authentication.
> > > > > > > > > > > > > > > > > >
>>>>>
> > > > > > > > > > > > > > > > > >
>>>>> In both cases, the broker
> > > > > > > > > > > > > > > > > >
>>>>> acts
> > > > > > > > > > > > > > > > > >
>>>>> as
> > > > > > > > > > > > > > > > > >
>>>>> an
> > > > > > > > > > > > > > > > > >
>>>>> intermediary
> > > > > > > > > > > > > > > > > >
>>>>> where
> > > > > > > > > > > > > > > > > >
>>>>> specific
> > > > > > > > > > > > > > > > > >
>>>>> security policies can be
> > > > > > > > > > > > > > > > > >
>>>>> applied
> > > > > > > > > > > > > > > > > >
>>>>> when
> > > > > > > > > > > > > > > > > >
>>>>> users
> > > > > > > > > > > > > > > > > >
>>>>> try
> > > > > > > > > > > > > > > > > >
>>>>> to
> > > > > > > > > > > > > > > > > >
>>>>> authenticate
> > > > > > > > > > > > > > > > > >
>>>>> themselves against a 3rd
> > > > > > > > > > > > > > > > > >
>>>>> party
> > > > > > > > > > > > > > > > > >
>>>>> IdP.
> > > > > > > > > > > > > > > > > >
>>>>> That
> > > > > > > > > > > > > > > > > >
>>>>> brings
> > > > > > > > > > > > > > > > > >
>>>>> a
> > > > > > > > > > > > > > > > > >
>>>>> lot
> > > > > > > > > > > > > > > > > >
>>>>> of
> > > > > > > > > > > > > > > > > >
>>>>> value
> > > > > > > > > > > > > > > > > >
>>>>> when
> > > > > > > > > > > > > > > > > >
>>>>> you think about auditing,
> > > > > > > > > > > > > > > > > >
>>>>> authorization
> > > > > > > > > > > > > > > > > >
>>>>> and
> > > > > > > > > > > > > > > > > >
>>>>> how
> > > > > > > > > > > > > > > > > >
>>>>> users
> > > > > > > > > > > > > > > > > >
>>>>> are
> > > > > > > > > > > > > > > > > >
>>>>> provisioned
> > > > > > > > > > > > > > > > > >
>>>>> when federation of
> > > > > > > > > > > > > > > > > >
>>>>> identities
> > > > > > > > > > > > > > > > > >
>>>>> is
> > > > > > > > > > > > > > > > > >
>>>>> needed.
> > > > > > > > > > > > > > > > > >
>>>>> This
> > > > > > > > > > > > > > > > > >
>>>>> also
> > > > > > > > > > > > > > > > > >
>>>>> allows
> > > > > > > > > > > > > > > > > >
>>>>> existing
> > > > > > > > > > > > > > > > > >
>>>>> security infrastructures
> > > > > > > > > > > > > > > > > >
>>>>> (eg.:
> > > > > > > > > > > > > > > > > >
>>>>> SAML-based
> > > > > > > > > > > > > > > > > >
>>>>> infrastructures)
> > > > > > > > > > > > > > > > > >
>>>>> to
> > > > > > > > > > > > > > > > > >
>>>>> benefit
> > > > > > > > > > > > > > > > > >
>>>>> from KC's support for cloud,
> > > > > > > > > > > > > > > > > >
>>>>> rest
> > > > > > > > > > > > > > > > > >
>>>>> and
> > > > > > > > > > > > > > > > > >
>>>>> mobile
> > > > > > > > > > > > > > > > > >
>>>>> use
> > > > > > > > > > > > > > > > > >
>>>>> cases.
> > > > > > > > > > > > > > > > > >
>>>>>
> > > > > > > > > > > > > > > > > >
>>>>> I think this is enough to
> > > > > > > > > > > > > > > > > >
>>>>> start
> > > > > > > > > > > > > > > > > >
>>>>> a
> > > > > > > > > > > > > > > > > >
>>>>> discussion.
> > > > > > > > > > > > > > > > > >
>>>>> I've
> > > > > > > > > > > > > > > > > >
>>>>> an
> > > > > > > > > > > > > > > > > >
>>>>> initial
> > > > > > > > > > > > > > > > > >
>>>>> discussion with Stian about
> > > > > > > > > > > > > > > > > >
>>>>> all
> > > > > > > > > > > > > > > > > >
>>>>> that
> > > > > > > > > > > > > > > > > >
>>>>> and
> > > > > > > > > > > > > > > > > >
>>>>> we
> > > > > > > > > > > > > > > > > >
>>>>> agreed
> > > > > > > > > > > > > > > > > >
>>>>> that
> > > > > > > > > > > > > > > > > >
>>>>> abstract
> > > > > > > > > > > > > > > > > >
>>>>> the
> > > > > > > > > > > > > > > > > >
>>>>> protocol from applications
> > > > > > > > > > > > > > > > > >
>>>>> should
> > > > > > > > > > > > > > > > > >
>>>>> be
> > > > > > > > > > > > > > > > > >
>>>>> prioritized.
> > > > > > > > > > > > > > > > > >
>>>>> The
> > > > > > > > > > > > > > > > > >
>>>>> main
> > > > > > > > > > > > > > > > > >
>>>>> reason is
> > > > > > > > > > > > > > > > > >
>>>>> that it makes life easier
> > > > > > > > > > > > > > > > > >
>>>>> for
> > > > > > > > > > > > > > > > > >
>>>>> applications
> > > > > > > > > > > > > > > > > >
>>>>> so
> > > > > > > > > > > > > > > > > >
>>>>> they
> > > > > > > > > > > > > > > > > >
>>>>> only
> > > > > > > > > > > > > > > > > >
>>>>> need
> > > > > > > > > > > > > > > > > >
>>>>> to
> > > > > > > > > > > > > > > > > >
>>>>> know
> > > > > > > > > > > > > > > > > >
>>>>> about KC tokens and nothing
> > > > > > > > > > > > > > > > > >
>>>>> else.
> > > > > > > > > > > > > > > > > >
>>>>> However
> > > > > > > > > > > > > > > > > >
>>>>> that
> > > > > > > > > > > > > > > > > >
>>>>> brings
> > > > > > > > > > > > > > > > > >
>>>>> some
> > > > > > > > > > > > > > > > > >
>>>>> new
> > > > > > > > > > > > > > > > > >
>>>>> requirements around user
> > > > > > > > > > > > > > > > > >
>>>>> provisioning
> > > > > > > > > > > > > > > > > >
>>>>> and
> > > > > > > > > > > > > > > > > >
>>>>> claim/attribute
> > > > > > > > > > > > > > > > > >
>>>>> resolution
> > > > > > > > > > > > > > > > > >
>>>>> or mapping. But that would
> > > > > > > > > > > > > > > > > >
>>>>> be
> > > > > > > > > > > > > > > > > >
>>>>> another
> > > > > > > > > > > > > > > > > >
>>>>> thread.
> > > > > > > > > > > > > > > > > >
>>>>>
> > > > > > > > > > > > > > > > > >
>>>>
> > > > > > > > > > > > > > > > > >
>>>> Can you elaborate on "abstract the
> > > > > > > > > > > > > > > > > >
>>>> protocol
> > > > > > > > > > > > > > > > > >
>>>> from
> > > > > > > > > > > > > > > > > >
>>>> applications"?
> > > > > > > > > > > > > > > > > >
>>>> Not
> > > > > > > > > > > > > > > > > >
>>>> sure what you mean by that. IDP
> > > > > > > > > > > > > > > > > >
>>>> federation
> > > > > > > > > > > > > > > > > >
>>>> should
> > > > > > > > > > > > > > > > > >
>>>> be
> > > > > > > > > > > > > > > > > >
>>>> configured
> > > > > > > > > > > > > > > > > >
>>>> at
> > > > > > > > > > > > > > > > > >
>>>> the
> > > > > > > > > > > > > > > > > >
>>>> realm level and really has nothing
> > > > > > > > > > > > > > > > > >
>>>> to
> > > > > > > > > > > > > > > > > >
>>>> do
> > > > > > > > > > > > > > > > > >
>>>> with
> > > > > > > > > > > > > > > > > >
>>>> applications.
> > > > > > > > > > > > > > > > > >
>>>>
> > > > > > > > > > > > > > > > > >
>>>> I'm really happy that somebody is
> > > > > > > > > > > > > > > > > >
>>>> doing
> > > > > > > > > > > > > > > > > >
>>>> this.
> > > > > > > > > > > > > > > > > >
>>>> We're
> > > > > > > > > > > > > > > > > >
>>>> getting
> > > > > > > > > > > > > > > > > >
>>>> a
> > > > > > > > > > > > > > > > > >
>>>> real
> > > > > > > > > > > > > > > > > >
>>>> impressive feature set!
> > > > > > > > > > > > > > > > > >
>>>
> > > > > > > > > > > > > > > > > >
>>> Sure. What I meant was that the
> > > > > > > > > > > > > > > > > >
>>> application
> > > > > > > > > > > > > > > > > >
>>> only
> > > > > > > > > > > > > > > > > >
>>> knows
> > > > > > > > > > > > > > > > > >
>>> about
> > > > > > > > > > > > > > > > > >
>>> KC
> > > > > > > > > > > > > > > > > >
>>> tokens
> > > > > > > > > > > > > > > > > >
>>> nothing else. It will always receive
> > > > > > > > > > > > > > > > > >
>>> a
> > > > > > > > > > > > > > > > > >
>>> KC
> > > > > > > > > > > > > > > > > >
>>> token
> > > > > > > > > > > > > > > > > >
>>> regardless
> > > > > > > > > > > > > > > > > >
>>> the
> > > > > > > > > > > > > > > > > >
>>> protocol
> > > > > > > > > > > > > > > > > >
>>> used
> > > > > > > > > > > > > > > > > >
>>> to authenticate the user against a
> > > > > > > > > > > > > > > > > >
>>> 3rd
> > > > > > > > > > > > > > > > > >
>>> party
> > > > > > > > > > > > > > > > > >
>>> IdP
> > > > > > > > > > > > > > > > > >
>>> (saml,
> > > > > > > > > > > > > > > > > >
>>> oidc,
> > > > > > > > > > > > > > > > > >
>>> whatever).
> > > > > > > > > > > > > > > > > >
>>> The
> > > > > > > > > > > > > > > > > >
>>> example I gave was about an user
> > > > > > > > > > > > > > > > > >
>>> trying
> > > > > > > > > > > > > > > > > >
>>> to
> > > > > > > > > > > > > > > > > >
>>> authenticate
> > > > > > > > > > > > > > > > > >
>>> against
> > > > > > > > > > > > > > > > > >
>>> a
> > > > > > > > > > > > > > > > > >
>>> SAML
> > > > > > > > > > > > > > > > > >
>>> IdP.
> > > > > > > > > > > > > > > > > >
>>> In this case, after a successful
> > > > > > > > > > > > > > > > > >
>>> authentication
> > > > > > > > > > > > > > > > > >
>>> on
> > > > > > > > > > > > > > > > > >
>>> the
> > > > > > > > > > > > > > > > > >
>>> IdP,
> > > > > > > > > > > > > > > > > >
>>> the
> > > > > > > > > > > > > > > > > >
>>> IdP
> > > > > > > > > > > > > > > > > >
>>> will
> > > > > > > > > > > > > > > > > >
>>> issue a token to KC. Then KC will
> > > > > > > > > > > > > > > > > >
>>> validate
> > > > > > > > > > > > > > > > > >
>>> the
> > > > > > > > > > > > > > > > > >
>>> token,
> > > > > > > > > > > > > > > > > >
>>> perform
> > > > > > > > > > > > > > > > > >
>>> trust
> > > > > > > > > > > > > > > > > >
>>> and
> > > > > > > > > > > > > > > > > >
>>> security checks, do user provisioning
> > > > > > > > > > > > > > > > > >
>>> and
> > > > > > > > > > > > > > > > > >
>>> attribute/claim
> > > > > > > > > > > > > > > > > >
>>> resolution
> > > > > > > > > > > > > > > > > >
>>> to
> > > > > > > > > > > > > > > > > >
>>> finally issue a KC token and redirect
> > > > > > > > > > > > > > > > > >
>>> the
> > > > > > > > > > > > > > > > > >
>>> user
> > > > > > > > > > > > > > > > > >
>>> to
> > > > > > > > > > > > > > > > > >
>>> the
> > > > > > > > > > > > > > > > > >
>>> application.
> > > > > > > > > > > > > > > > > >
>>> If
> > > > > > > > > > > > > > > > > >
>>> the
> > > > > > > > > > > > > > > > > >
>>> app is configured to use openid in KC
> > > > > > > > > > > > > > > > > >
>>> then
> > > > > > > > > > > > > > > > > >
>>> it
> > > > > > > > > > > > > > > > > >
>>> will
> > > > > > > > > > > > > > > > > >
>>> receive
> > > > > > > > > > > > > > > > > >
>>> a
> > > > > > > > > > > > > > > > > >
>>> openid
> > > > > > > > > > > > > > > > > >
>>> token
> > > > > > > > > > > > > > > > > >
>>> from KC, not saml ...
> > > > > > > > > > > > > > > > > >
>>>
> > > > > > > > > > > > > > > > > >
>>> The other scenario is pretty much the
> > > > > > > > > > > > > > > > > >
>>> same.
> > > > > > > > > > > > > > > > > >
>>> The
> > > > > > > > > > > > > > > > > >
>>> difference
> > > > > > > > > > > > > > > > > >
>>> is
> > > > > > > > > > > > > > > > > >
>>> that
> > > > > > > > > > > > > > > > > >
>>> KC
> > > > > > > > > > > > > > > > > >
>>> will
> > > > > > > > > > > > > > > > > >
>>> not issue its own token but just
> > > > > > > > > > > > > > > > > >
>>> replay
> > > > > > > > > > > > > > > > > >
>>> the
> > > > > > > > > > > > > > > > > >
>>> token
> > > > > > > > > > > > > > > > > >
>>> issued
> > > > > > > > > > > > > > > > > >
>>> by
> > > > > > > > > > > > > > > > > >
>>> the
> > > > > > > > > > > > > > > > > >
>>> 3rd
> > > > > > > > > > > > > > > > > >
>>> party
> > > > > > > > > > > > > > > > > >
>>> IdP to the service provider.
> > > > > > > > > > > > > > > > > >
>>>
> > > > > > > > > > > > > > > > > >
>>> I agree that this config goes at the
> > > > > > > > > > > > > > > > > >
>>> realm
> > > > > > > > > > > > > > > > > >
>>> level.
> > > > > > > > > > > > > > > > > >
>>> For
> > > > > > > > > > > > > > > > > >
>>> instance,
> > > > > > > > > > > > > > > > > >
>>> to
> > > > > > > > > > > > > > > > > >
>>> create
> > > > > > > > > > > > > > > > > >
>>> and
> > > > > > > > > > > > > > > > > >
>>> enable providers for being used.
> > > > > > > > > > > > > > > > > >
>>> However,
> > > > > > > > > > > > > > > > > >
>>> I
> > > > > > > > > > > > > > > > > >
>>> think
> > > > > > > > > > > > > > > > > >
>>> we
> > > > > > > > > > > > > > > > > >
>>> would
> > > > > > > > > > > > > > > > > >
>>> need
> > > > > > > > > > > > > > > > > >
>>> some
> > > > > > > > > > > > > > > > > >
>>> specific configuration for
> > > > > > > > > > > > > > > > > >
>>> applications
> > > > > > > > > > > > > > > > > >
>>> as
> > > > > > > > > > > > > > > > > >
>>> well.
> > > > > > > > > > > > > > > > > >
>>> Specially
> > > > > > > > > > > > > > > > > >
>>> when
> > > > > > > > > > > > > > > > > >
>>> defining
> > > > > > > > > > > > > > > > > >
>>> default roles, mapping attributes.
> > > > > > > > > > > > > > > > > >
>>> Another
> > > > > > > > > > > > > > > > > >
>>> example
> > > > > > > > > > > > > > > > > >
>>> of
> > > > > > > > > > > > > > > > > >
>>> application
> > > > > > > > > > > > > > > > > >
>>> config
> > > > > > > > > > > > > > > > > >
>>> is
> > > > > > > > > > > > > > > > > >
>>> when using a OIDC/oAuth IdP. You may
> > > > > > > > > > > > > > > > > >
>>> want
> > > > > > > > > > > > > > > > > >
>>> to
> > > > > > > > > > > > > > > > > >
>>> define
> > > > > > > > > > > > > > > > > >
>>> scopes
> > > > > > > > > > > > > > > > > >
>>> per-application.
> > > > > > > > > > > > > > > > > >
>>>
> > > > > > > > > > > > > > > > > >
>>>>
> > > > > > > > > > > > > > > > > >
>>>> --
> > > > > > > > > > > > > > > > > >
>>>> Bill Burke
> > > > > > > > > > > > > > > > > >
>>>> JBoss, a division of Red Hat
> > > > > > > > > > > > > > > > > >
>>>>
http://bill.burkecentral.com
> > > > > > > > > > > > > > > > > >
>>>> _______________________________________________
> > > > > > > > > > > > > > > > > >
>>>> keycloak-dev mailing list
> > > > > > > > > > > > > > > > > >
>>>> keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > > > > > > >
>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > > > > > > > > > > > > > > > >
>>>>
> > > > > > > > > > > > > > > > > >
>>> _______________________________________________
> > > > > > > > > > > > > > > > > >
>>> keycloak-dev mailing list
> > > > > > > > > > > > > > > > > >
>>> keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > > > > > > >
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > > > > > > > > > > > > > > > >
>>>
> > > > > > > > > > > > > > > > > >
>> _______________________________________________
> > > > > > > > > > > > > > > > > >
>> keycloak-dev mailing list
> > > > > > > > > > > > > > > > > >
>> keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > > > > > > >
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > > > > > > > > > > > > > > > >
>>
> > > > > > > > > > > > > > > > > >
>
> > > > > > > > > > > > > > > > > >
>
> > > > > > > > > > > > > > > > > >
>
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
--
> > > > > > > > > > > > > > > > > >
Bill Burke
> > > > > > > > > > > > > > > > > >
JBoss, a division of Red Hat
> > > > > > > > > > > > > > > > > >
http://bill.burkecentral.com
> > > > > > > > > > > > > > > > > >
_______________________________________________
> > > > > > > > > > > > > > > > > >
keycloak-dev mailing list
> > > > > > > > > > > > > > > > > >
keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > > > > > > >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
_______________________________________________
> > > > > > > > > > > > > > > > > >
keycloak-dev mailing list
> > > > > > > > > > > > > > > > > >
keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > > > > > > >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
_______________________________________________
> > > > > > > > > > > > > > > > > >
keycloak-dev mailing list
> > > > > > > > > > > > > > > > > >
keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > > > > > > >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
_______________________________________________
> > > > > > > > > > > > > > > > >
keycloak-dev mailing list
> > > > > > > > > > > > > > > > >
keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > > > > > >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
_______________________________________________
> > > > > > > > > > > > > keycloak-dev mailing
list
> > > > > > > > > > > > >
keycloak-dev(a)lists.jboss.org
> > > > > > > > > > > > >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>