Hello Michael,
In Keycloak, custom REST endpoints are realm-bound by design. But you can use master realm
to emulate "realm-independent" endpoints, since master is a special realm that
is guaranteed to always exist (unless you decide to break Keycloak by manually deleting it
:)
In fact, it's not about REST endpoints only. The rule of thumb is, if you need to
implement something realm-independent (or "global") in Keycloak, but the API
requires a realm, use master realm for that.
Regarding reliability and maintainability of this approach, please check out this thread
[1]. When implementing yet another KC extension that needed to be "global", I
became a bit concerned with the usage of master realm for that, but Stian actually
confirmed that would be pretty safe.
[1]
http://lists.jboss.org/pipermail/keycloak-dev/2018-November/011349.html
Good luck!
Dmitry Telegin
Carretti Consulting OÜ | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info(a)carretti.pro
On Fri, 2019-05-31 at 15:31 +0000, Michael Dailous wrote:
Is there anyone that can provide some guidance on this?
Michael
-----Original Message-----
Date: Thu, 30 May 2019 17:45:12 +0000
From: Michael Dailous <mdailous(a)forensiclogic.com>
Subject: [keycloak-user] Custom REST endpoint not associated with a
specific REALM
To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Message-ID:
<BYAPR09MB2549F8DA4ED6A39523363562D6180(a)BYAPR09MB2549.namprd09.prod.outlook.com>
Content-Type: text/plain; charset="us-ascii"
Hi,
We are looking to implement a REST endpoint that will be used to query the REALM
information associated with a specified user. The REST endpoint will be publicly available
and used as part of the Authentication process, identifying which Keycloak REALM should be
used during the client authentication process. We've created REST endpoints that are
available through a REALM, such as "/auth/realms/master/admin-extensions/...".
Those specific REALMs are accessed post authentication. For this REST endpoint, we're
looking to access it generically pre authentication.
Is it possible to create a custom REST endpoint that's not associated with a specific
REALM?
Thanks,
Michael
------------------------------
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user