Re: [keycloak-user] Keycloak and registration workflow for REST API platform

From: "Christina Lau" <christinalau28(a)icloud.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-user(a)lists.jboss.org Sent: Thursday, 10 July, 2014 12:05:05 PM Subject: Re: [keycloak-user] Keycloak and registration workflow for REST API platform It seems a little involve what you described below. I may need more help if I go with the approach you mentioned. I am also asking Red Hat RestEasy team re their OAuth support, and they point me here as they also do not provide any OAuth support in RestEasy https://docs.jboss.org/resteasy/docs/3.0.7.Final/userguide/html/oauth2.html Support Case: https://access.redhat.com/support/cases/01136430/ It seems a little convoluted as well and I have to do a lot of work to secure the REST APIs. Can you comment on these 2 alternatives? I am not a security expert and don’t really want to spend a lot of time implementing, will rather have more out of the box solution. Thanks. Christina On Jul 9, 2014, at 11:01 AM, Stian Thorgersen <stian(a)redhat.com&gt; wrote: > We did have some plans to provide something like this in Keycloak. > Basically it would be possible for users to create their own applications > through account management console. However, we simply don't have time to > add this at the moment. > > In the mean time there's at least two options available: > > * Create your own application that lets users register applications, and > use the KC admin endpoints to create a client. You could then use the > client_id as the API keys, so users wouldn't have to deal with both an API > key and a oauth2 client id. You can also add scope mappings to these > clients to control what roles/features of your app they can access > * Contribute this to Keycloak - if this is something you're interested in > let me know and we can look at how feasible that would be > > With regards to 1, you'd have to add that yourself. You could extend our > adapter (or add your own) that extracts the API key from a query param > and/or header and uses the KC admin endpoints to verify that it > corresponds to the id of a client, and that the client has the required > scopes. > > ----- Original Message ----- >> From: "Christina Lau" <christinalau28(a)icloud.com&gt; >> To: "Stian Thorgersen" <stian(a)redhat.com&gt;, keycloak-user(a)lists.jboss.org >> Sent: Wednesday, 9 July, 2014 1:46:41 PM >> Subject: Re: [keycloak-user] Keycloak and registration workflow for REST >> API platform >> >> Hello Stian, here is what I am trying to do: >> >> 1. Create a self-service registration application, all users will use this >> application to register with their own email or twitter/facebook/google >> acct >> email. I will imagine I use the Keycloak login and use CSS to customize >> it >> to integrate with my own application. >> >> 2. The user will be issued a key/access token, this key will be used later >> to >> authorize the REST calls >> >> Now I want to support 3 kinds of authorization for the different REST >> calls: >> >> 1. API key only - for calls that just need to establish identity, but >> don't >> need to authenticate or authorize. >> 2. Authentication for more sensitive calls where I want to delegate >> authorization to a trusted location (i.e. keycloak) >> 3. Authorization for certain services where only authorized partners can >> invoke. >> >> Can you outline how I can implement this in Keycloak, esp what part I have >> to >> implement myself. I plan to use RestEasy to implement Restful services, >> but >> I need to make sure the Restful services can be called by all clients >> (i.e. >> support popular OAuth libraries). Thanks… >> >> Christina >> >> On Jul 9, 2014, at 4:15 AM, Stian Thorgersen <stian(a)redhat.com&gt; wrote: >> >>> To answer your question properly I'd need more details about what you're >>> trying to achieve. >>> >>> It does sound like we pretty much already have what you need, with the >>> exception of letting users themselves create clients. Depending on your >>> use case it may be a good idea to have a single realm (and share users) >>> between all developers/applications, or it may be better to have a realm >>> per developer/application. >>> >>> For the latter we do have a role that lets users create new realms, but >>> not >>> use any other realms. This could be used to let a developer register with >>> your platform and then be able to login to the admin console to create >>> clients, users, or whatever they want. For the first we have discussed in >>> the past, but do not support it yet, the ability to let users register >>> clients through the account management console. >>> >>> ----- Original Message ----- >>>> From: "Christina Lau" <christinalau28(a)icloud.com&gt; >>>> To: keycloak-user(a)lists.jboss.org >>>> Sent: Tuesday, 8 July, 2014 4:34:57 PM >>>> Subject: [keycloak-user] Keycloak and registration workflow for REST API >>>> platform >>>> >>>> I am wondering if I can use Keycloak to implementation the registration >>>> workflow for a REST API platform, similar to Twitter >>>> (https://apps.twitter.com/) or Linkedln >>>> (https://developer.linkedin.com/rest). >>>> >>>> I found some features like social login very applicable. However I am >>>> not >>>> quite sure how I will model this in Keycloak. For example, will I have 1 >>>> realm per user and each user that registers will have their own oauth >>>> client >>>> for their third party appl(s) that I need to grant access to similar to >>>> the >>>> Tutorial 3 demo? >>>> >>>> If this is feasible to implement, can you outline the steps involved in >>>> this >>>> use case. I am thinking I will need to build a lot of it using the REST >>>> APIs >>>> you provided. Thanks in advance for any help. >>>> >>>> Christina >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >> >>