Re: [keycloak-user] Keycloak and registration workflow for REST API platform

From: "Christina Lau" <christinalau28(a)icloud.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt;, keycloak-user(a)lists.jboss.org Sent: Wednesday, 9 July, 2014 1:46:41 PM Subject: Re: [keycloak-user] Keycloak and registration workflow for REST API platform Hello Stian, here is what I am trying to do: 1. Create a self-service registration application, all users will use this application to register with their own email or twitter/facebook/google acct email. I will imagine I use the Keycloak login and use CSS to customize it to integrate with my own application. 2. The user will be issued a key/access token, this key will be used later to authorize the REST calls Now I want to support 3 kinds of authorization for the different REST calls: 1. API key only - for calls that just need to establish identity, but don't need to authenticate or authorize. 2. Authentication for more sensitive calls where I want to delegate authorization to a trusted location (i.e. keycloak) 3. Authorization for certain services where only authorized partners can invoke. Can you outline how I can implement this in Keycloak, esp what part I have to implement myself. I plan to use RestEasy to implement Restful services, but I need to make sure the Restful services can be called by all clients (i.e. support popular OAuth libraries). Thanks… Christina On Jul 9, 2014, at 4:15 AM, Stian Thorgersen <stian(a)redhat.com&gt; wrote: > To answer your question properly I'd need more details about what you're > trying to achieve. > > It does sound like we pretty much already have what you need, with the > exception of letting users themselves create clients. Depending on your > use case it may be a good idea to have a single realm (and share users) > between all developers/applications, or it may be better to have a realm > per developer/application. > > For the latter we do have a role that lets users create new realms, but not > use any other realms. This could be used to let a developer register with > your platform and then be able to login to the admin console to create > clients, users, or whatever they want. For the first we have discussed in > the past, but do not support it yet, the ability to let users register > clients through the account management console. > > ----- Original Message ----- >> From: "Christina Lau" <christinalau28(a)icloud.com&gt; >> To: keycloak-user(a)lists.jboss.org >> Sent: Tuesday, 8 July, 2014 4:34:57 PM >> Subject: [keycloak-user] Keycloak and registration workflow for REST API >> platform >> >> I am wondering if I can use Keycloak to implementation the registration >> workflow for a REST API platform, similar to Twitter >> (https://apps.twitter.com/) or Linkedln >> (https://developer.linkedin.com/rest). >> >> I found some features like social login very applicable. However I am not >> quite sure how I will model this in Keycloak. For example, will I have 1 >> realm per user and each user that registers will have their own oauth >> client >> for their third party appl(s) that I need to grant access to similar to >> the >> Tutorial 3 demo? >> >> If this is feasible to implement, can you outline the steps involved in >> this >> use case. I am thinking I will need to build a lot of it using the REST >> APIs >> you provided. Thanks in advance for any help. >> >> Christina >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>