It seems a little involve what you described below. I may need more help if I go with the
approach you mentioned.
I am also asking Red Hat RestEasy team re their OAuth support, and they point me here as
they also do not provide any OAuth support in RestEasy
It seems a little convoluted as well and I have to do a lot of work to secure the REST
APIs.
Can you comment on these 2 alternatives? I am not a security expert and don’t really want
to spend a lot of time implementing, will rather have more out of the box solution.
Thanks.
Christina
On Jul 9, 2014, at 11:01 AM, Stian Thorgersen <stian(a)redhat.com> wrote:
We did have some plans to provide something like this in Keycloak.
Basically it would be possible for users to create their own applications through account
management console. However, we simply don't have time to add this at the moment.
In the mean time there's at least two options available:
* Create your own application that lets users register applications, and use the KC admin
endpoints to create a client. You could then use the client_id as the API keys, so users
wouldn't have to deal with both an API key and a oauth2 client id. You can also add
scope mappings to these clients to control what roles/features of your app they can
access
* Contribute this to Keycloak - if this is something you're interested in let me know
and we can look at how feasible that would be
With regards to 1, you'd have to add that yourself. You could extend our adapter (or
add your own) that extracts the API key from a query param and/or header and uses the KC
admin endpoints to verify that it corresponds to the id of a client, and that the client
has the required scopes.
----- Original Message -----
> From: "Christina Lau" <christinalau28(a)icloud.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>,
keycloak-user(a)lists.jboss.org
> Sent: Wednesday, 9 July, 2014 1:46:41 PM
> Subject: Re: [keycloak-user] Keycloak and registration workflow for REST API
platform
>
> Hello Stian, here is what I am trying to do:
>
> 1. Create a self-service registration application, all users will use this
> application to register with their own email or twitter/facebook/google acct
> email. I will imagine I use the Keycloak login and use CSS to customize it
> to integrate with my own application.
>
> 2. The user will be issued a key/access token, this key will be used later to
> authorize the REST calls
>
> Now I want to support 3 kinds of authorization for the different REST calls:
>
> 1. API key only - for calls that just need to establish identity, but don't
> need to authenticate or authorize.
> 2. Authentication for more sensitive calls where I want to delegate
> authorization to a trusted location (i.e. keycloak)
> 3. Authorization for certain services where only authorized partners can
> invoke.
>
> Can you outline how I can implement this in Keycloak, esp what part I have to
> implement myself. I plan to use RestEasy to implement Restful services, but
> I need to make sure the Restful services can be called by all clients (i.e.
> support popular OAuth libraries). Thanks…
>
> Christina
>
> On Jul 9, 2014, at 4:15 AM, Stian Thorgersen <stian(a)redhat.com> wrote:
>
>> To answer your question properly I'd need more details about what you're
>> trying to achieve.
>>
>> It does sound like we pretty much already have what you need, with the
>> exception of letting users themselves create clients. Depending on your
>> use case it may be a good idea to have a single realm (and share users)
>> between all developers/applications, or it may be better to have a realm
>> per developer/application.
>>
>> For the latter we do have a role that lets users create new realms, but not
>> use any other realms. This could be used to let a developer register with
>> your platform and then be able to login to the admin console to create
>> clients, users, or whatever they want. For the first we have discussed in
>> the past, but do not support it yet, the ability to let users register
>> clients through the account management console.
>>
>> ----- Original Message -----
>>> From: "Christina Lau" <christinalau28(a)icloud.com>
>>> To: keycloak-user(a)lists.jboss.org
>>> Sent: Tuesday, 8 July, 2014 4:34:57 PM
>>> Subject: [keycloak-user] Keycloak and registration workflow for REST API
>>> platform
>>>
>>> I am wondering if I can use Keycloak to implementation the registration
>>> workflow for a REST API platform, similar to Twitter
>>> (
https://apps.twitter.com/) or Linkedln
>>> (
https://developer.linkedin.com/rest).
>>>
>>> I found some features like social login very applicable. However I am not
>>> quite sure how I will model this in Keycloak. For example, will I have 1
>>> realm per user and each user that registers will have their own oauth
>>> client
>>> for their third party appl(s) that I need to grant access to similar to
>>> the
>>> Tutorial 3 demo?
>>>
>>> If this is feasible to implement, can you outline the steps involved in
>>> this
>>> use case. I am thinking I will need to build a lot of it using the REST
>>> APIs
>>> you provided. Thanks in advance for any help.
>>>
>>> Christina
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>
>