[keycloak-dev] Realms and applications
Stian Thorgersen
stian at redhat.com
Wed Jul 31 05:12:19 EDT 2013
Hm...
Surely there has to be a many applications per realm, why would you otherwise want SSO for a realm?
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 30 July, 2013 5:58:34 PM
> Subject: Re: [keycloak-dev] Realms and applications
>
> I'm not sure yet if there will be a one-to-many for realm->applications.
> But, An application needs to be aware of the realms it is interacting
> with for a variety of reasons.
>
> The whole OAuth 2 protocol[1] requires knowledge of the realm it is
> logging into:
>
> * It needs to be registered with the realm and have a client_id and set
> of credentials
> * It needs to know which realm to make an authenticated request to so it
> can turn an access code into an access token. (This happens after
> Keycloak redirects the browser back to the application)
> * For bearer token authentication, it needs to know the public key of
> the realm the token comes from so it can verify the signed token.
> * For single sign off, Keycloak sends a signed request to the admin URL
> of the Application. The application needs to know the public key of the
> realm sending the request so it can verify the signed request. It also
> needs a way to match the request user to an Http Session so it can
> invalidate that session.
>
> Obtaining user profile information is sensitive. In many cases, we have
> to know that the user authorized this behavior. In others, the realm
> admin will have to assign permission (one or more roles) to an
> application to be able to request this information.
>
> IMO, for the 1st few iterations, there should only be a one-to-one
> mapping between Realm and application. I'm not sure how useful
> one-to-many would be anyways.
>
> [1] http://tools.ietf.org/html/rfc6749
>
>
>
> On 7/30/2013 11:54 AM, Stian Thorgersen wrote:
> > Is the relationship between a realm and applications one-to-many? If so I
> > assume it would be possible to change the realm an application uses?
> >
> > Also I was wondering if it's necessary that an application has to know what
> > realm to use to login users. According to
> > https://github.com/keycloak/keycloak/wiki/Login-Algorithm the application
> > should redirect to:
> >
> > https://keycloak.org/realms/demo/tokens/login?state=...&redirect_uri=...&client_id=...
> >
> > Would it not be better if it didn't have to know about the realm? So login
> > would be something like:
> >
> > https://keycloak.org/oauth2/?state=...&redirect_uri=...&client_id=...
> >
> > Same applies when an application wants to access lists of users, or the
> > user profile for a specific user, etc.
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list