[keycloak-dev] Realms and applications
Bill Burke
bburke at redhat.com
Wed Jul 31 08:05:57 EDT 2013
Sorry, I meant many to many: Realm - Application. I thought that's what
you were implying. At runtime the Application needs knowledge of the
Realm it is working with as described earlier.
On 7/31/2013 5:12 AM, Stian Thorgersen wrote:
> Hm...
>
> Surely there has to be a many applications per realm, why would you otherwise want SSO for a realm?
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Tuesday, 30 July, 2013 5:58:34 PM
>> Subject: Re: [keycloak-dev] Realms and applications
>>
>> I'm not sure yet if there will be a one-to-many for realm->applications.
>> But, An application needs to be aware of the realms it is interacting
>> with for a variety of reasons.
>>
>> The whole OAuth 2 protocol[1] requires knowledge of the realm it is
>> logging into:
>>
>> * It needs to be registered with the realm and have a client_id and set
>> of credentials
>> * It needs to know which realm to make an authenticated request to so it
>> can turn an access code into an access token. (This happens after
>> Keycloak redirects the browser back to the application)
>> * For bearer token authentication, it needs to know the public key of
>> the realm the token comes from so it can verify the signed token.
>> * For single sign off, Keycloak sends a signed request to the admin URL
>> of the Application. The application needs to know the public key of the
>> realm sending the request so it can verify the signed request. It also
>> needs a way to match the request user to an Http Session so it can
>> invalidate that session.
>>
>> Obtaining user profile information is sensitive. In many cases, we have
>> to know that the user authorized this behavior. In others, the realm
>> admin will have to assign permission (one or more roles) to an
>> application to be able to request this information.
>>
>> IMO, for the 1st few iterations, there should only be a one-to-one
>> mapping between Realm and application. I'm not sure how useful
>> one-to-many would be anyways.
>>
>> [1] http://tools.ietf.org/html/rfc6749
>>
>>
>>
>> On 7/30/2013 11:54 AM, Stian Thorgersen wrote:
>>> Is the relationship between a realm and applications one-to-many? If so I
>>> assume it would be possible to change the realm an application uses?
>>>
>>> Also I was wondering if it's necessary that an application has to know what
>>> realm to use to login users. According to
>>> https://github.com/keycloak/keycloak/wiki/Login-Algorithm the application
>>> should redirect to:
>>>
>>> https://keycloak.org/realms/demo/tokens/login?state=...&redirect_uri=...&client_id=...
>>>
>>> Would it not be better if it didn't have to know about the realm? So login
>>> would be something like:
>>>
>>> https://keycloak.org/oauth2/?state=...&redirect_uri=...&client_id=...
>>>
>>> Same applies when an application wants to access lists of users, or the
>>> user profile for a specific user, etc.
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list