Hi Bill,

thanks, I wasn't fully aware of the AccountService. However, we'll need to implement a user management page within our application that gives access to all users and role mappings within the realm. So I suppose I would either have to access the admin console back-end via REST with a keycloak-admin-realm user or use the JPA entities from keycloak-model-jpa directly.

I would assume that this is a pretty standard use case though. After all, the only alternative would be exposing the admin console to end users. Or am I missing something?

Cheers,
Nils



On Tue, Apr 15, 2014 at 4:45 PM, Bill Burke <bburke@redhat.com> wrote:
User information can be obtained from the IDToken within
KeycloakSecurityContext.  You can setup what information is in the
IDToken via the claims page in each application/oauth client.

For other user requests (like changing passwords), use the Account
Service.  Every authenticated user has permission to access this REST
API by default.

On 4/15/2014 10:41 AM, Nils Preusker wrote:
> By management REST API you mean the API the admin console uses?
>
> Just to make sure I understand your suggestion correctly:
>
> * I would use the management REST API (same API the admin console uses)
> from my backend application
> * my backend application would need a user ("application user") within
> the keycloak-admin realm
> * when accessing the management REST API, I would add an "Authorization:
> Bearer ..." header with the token I can obtain from
> .../auth/rest/realms/MY-REALM/tokens/grants/access
>
> Cheers,
> Nils
>
>
>
> On Tue, Apr 15, 2014 at 3:10 PM, Bill Burke <bburke@redhat.com
> <mailto:bburke@redhat.com>> wrote:
>
>     IMO, you should not use the model directly in your applications.  The
>     management REST API gives you full access to security metadata.  Use
>     that.  Plus, in the very near future (after beta-1 release) we'll be
>     implementing a cache and if you are modifying data directly, there will
>     be possibilities of this cache using stale data.
>
>     On 4/15/2014 4:30 AM, Stian Thorgersen wrote:
>      > At some point we'll add a Java and REST api's for user
>     management. This will also include being able to register listeners
>     for user events (for example user created, user deleted, etc).
>      >
>      > In the mean time I don't see any issues with using
>     keycloak-model-jpa directly, especially not for read only. This API
>     will quite likely change between versions, and we won't support any
>     backwards compatibility. The "official" user management API once
>     it's ready will be more stable, but I'm not sure when we'll have
>     time to implement that.
>      >
>      > ----- Original Message -----
>      >> From: "Nils Preusker" <n.preusker@gmail.com
>     <mailto:n.preusker@gmail.com>>
>      >> To: keycloak-user@lists.jboss.org
>     <mailto:keycloak-user@lists.jboss.org>
>      >> Sent: Tuesday, 15 April, 2014 9:22:44 AM
>      >> Subject: [keycloak-user] Sharing users
>      >>
>      >> Hi, I have a question regarding user management and sharing
>     access to the
>      >> keycloak database between applications.
>      >>
>      >> While the keycloak admin console can be used to manage users, other
>      >> applications may also need to access the user database. Is there a
>      >> recommended way of accomplishing this?
>      >>
>      >> I've been experimenting with adding keycloak-model-jpa to my
>     .war as a
>      >> dependency and looking at the bootstrapping in
>      >> org.keycloak.services.resources.KeycloakApplication. However, I
>     wasn't able
>      >> to get it to work yet and have the feeling that I might be going
>     the wrong
>      >> way here.
>      >>
>      >> Any hints?
>      >>
>      >> Cheers,
>      >> Nils
>      >>
>      >> _______________________________________________
>      >> keycloak-user mailing list
>      >> keycloak-user@lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>      >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user@lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user@lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user