9:45 a.m.
User information can be obtained from the IDToken within
KeycloakSecurityContext. You can setup what information is in the
IDToken via the claims page in each application/oauth client.
For other user requests (like changing passwords), use the Account
Service. Every authenticated user has permission to access this REST
API by default.
On 4/15/2014 10:41 AM, Nils Preusker wrote:
By management REST API you mean the API the admin console uses?
Just to make sure I understand your suggestion correctly:
* I would use the management REST API (same API the admin console uses)
from my backend application
* my backend application would need a user ("application user") within
the keycloak-admin realm
* when accessing the management REST API, I would add an "Authorization:
Bearer ..." header with the token I can obtain from
.../auth/rest/realms/MY-REALM/tokens/grants/access
Cheers,
Nils
On Tue, Apr 15, 2014 at 3:10 PM, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
IMO, you should not use the model directly in your applications. The
management REST API gives you full access to security metadata. Use
that. Plus, in the very near future (after beta-1 release) we'll be
implementing a cache and if you are modifying data directly, there will
be possibilities of this cache using stale data.
On 4/15/2014 4:30 AM, Stian Thorgersen wrote:
> At some point we'll add a Java and REST api's for user
management. This will also include being able to register listeners
for user events (for example user created, user deleted, etc).
>
> In the mean time I don't see any issues with using
keycloak-model-jpa directly, especially not for read only. This API
will quite likely change between versions, and we won't support any
backwards compatibility. The "official" user management API once
it's ready will be more stable, but I'm not sure when we'll have
time to implement that.
>
> ----- Original Message -----
>> From: "Nils Preusker" <n.preusker(a)gmail.com
<mailto:n.preusker@gmail.com>>
>> To: keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
>> Sent: Tuesday, 15 April, 2014 9:22:44 AM
>> Subject: [keycloak-user] Sharing users
>>
>> Hi, I have a question regarding user management and sharing
access to the
>> keycloak database between applications.
>>
>> While the keycloak admin console can be used to manage users, other
>> applications may also need to access the user database. Is there a
>> recommended way of accomplishing this?
>>
>> I've been experimenting with adding keycloak-model-jpa to my
.war as a
>> dependency and looking at the bootstrapping in
>> org.keycloak.services.resources.KeycloakApplication. However, I
wasn't able
>> to get it to work yet and have the feeling that I might be going
the wrong
>> way here.
>>
>> Any hints?
>>
>> Cheers,
>> Nils
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com