1:38 p.m.
Hi all,
I am trying to apply KC for:
1. Authentication. So far KC works well and as expected!
2. Change the authenticated user roles as part of the application logic-
based on external credit card registration (by an external credit card
processor) and paid plan selection by the user, the web app need to move
the authenticated user from "free" role to "premium" realm role,
which
correspond to the paid plan s/he selected.
Is there an example of how to use KC APIs to change the user's role from
within the app? I could not find anything specific in the examples or
documentation, but I see some things that go in that direction:
A.
It seems like I have to use the Admin REST API somehow, but I am not sure
which rest calls from the vast REST APIs I need to use? Is it "Add
realm-level role mappings to the user" and "Delete realm-level role
mappings"? What is "id" param then? Is this the "user id"? Can
you please
categorize the REST APIs in groups - "user management", "role CRUDs",
etc.,
to make it easier to navigate?
There seems to be an example "admin-access-app", but it is not clear where
it gets the app username/password. Are they just hard-coded "username" and
"password"? In the case of Wildfly adapter, the client secret is configured
inside the standalone.xml configuration file,
so *I expect to not have to configure it or read it from file
configurations*, but the container should provide it/inject it for me? Is
this correct assumption? Any example wildfly code?
B.
It seems like i also need to use a service account
<http://blog.keycloak.org/2015/08/service-accounts-support-in-keycloak.htm...;,
so
that the app can change user roles behind the scene on its own? Correct? This
blog post
<http://blog.keycloak.org/2015/08/service-accounts-support-in-keycloak.htm...
obsolete as there is no more "Service accounts enabled" switch I could
find. I figured, one need to switch to "confidential" access type instead.
Is this correct? Unfortunately, the corresponding example, "Service Account
Example" does not show how one should proceed when the client secret is
configured in the Wildfly's standalone.xml file and the developer is not
expected to parse configuration files (either embedded in the WAR or
elsewhere). Any example of how to get configured objects? I tried to get
some clue from the *KeycloakDeploymentBuilderTest.java* file, but it is not
clear how one can get *KeycloakDeployment* injected by the container rather
than paring it from files. Any clue?
Thank you for the grate product! And thank you for any guidance you can
provide - that would save me a lot of time and questions!
/Hristo
8:09 a.m.
On 27/03/16 20:38, Hristo Stoyanov wrote:
Hi all,
I am trying to apply KC for:
1. Authentication. So far KC works well and as expected!
2. Change the authenticated user roles as part of the application
logic- based on external credit card registration (by an external
credit card processor) and paid plan selection by the user, the web
app need to move the authenticated user from "free" role to
"premium"
realm role, which correspond to the paid plan s/he selected.
Is there an example of how to use KC APIs to change the user's role
from within the app? I could not find anything specific in the
examples or documentation, but I see some things that go in that
direction:
A.
It seems like I have to use the Admin REST API somehow, but I am not
sure which rest calls from the vast REST APIs I need to use? Is it
"Add realm-level role mappings to the user" and "Delete realm-level
role mappings"? What is "id" param then? Is this the "user id"?
Can
you please categorize the REST APIs in groups - "user management",
"role CRUDs", etc., to make it easier to navigate?
There seems to be an example "admin-access-app", but it is not clear
where it gets the app username/password. Are they just hard-coded
"username" and "password"? In the case of Wildfly adapter, the client
secret is configured inside the standalone.xml configuration file,
so _I expect to not have to configure it or read it from file
configurations_, but the container should provide it/inject it for me?
Is this correct assumption? Any example wildfly code?
As mentioned in other email,
we have admin-client, which provides
calling of REST endpoints as java methods and we have also example for it.
B.
It seems like i also need to use a service account
<http://blog.keycloak.org/2015/08/service-accounts-support-in-keycloak.htm...;, so
that the app can change user roles behind the scene on its own?
Correct? This blog post
<http://blog.keycloak.org/2015/08/service-accounts-support-in-keycloak.htm...
obsolete as there is no more "Service accounts enabled" switch I could
find. I figured, one need to switch to "confidential" access type
instead. Is this correct? Unfortunately, the corresponding example,
"Service Account Example" does not show how one should proceed when
the client secret is configured in the Wildfly's standalone.xml file
and the developer is not expected to parse configuration files (either
embedded in the WAR or elsewhere). Any example of how to get
configured objects? I tried to get some clue from the
*KeycloakDeploymentBuilderTest.java* file, but it is not clear how one
can get *KeycloakDeployment* injected by the container rather than
paring it from files. Any clue?
Feel free to create JIRA for the service account
documentation and
example update. But actually you don't need service account for call
admin REST endpoints (even the admin-client currently doesn't support
service accounts, which we should improve. See the other mail I sent to
you earlier today). You need to create admin user account and call admin
operations with admin client through this account. It's using "Direct
access grants" rather than service accounts.
Marek
Thank you for the grate product! And thank you for any guidance you
can provide - that would save me a lot of time and questions!
/Hristo
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3206
days inactive
3209
days old
1 comments
2 participants
participants (2)
-
Hristo Stoyanov -
Marek Posolda