[keycloak-dev] creating a realm UI

Marek Posolda mposolda at redhat.com
Wed Sep 4 08:52:49 EDT 2013


On 4.9.2013 13:48, Bill Burke wrote:
>
>
> On 9/4/2013 5:27 AM, Marek Posolda wrote:
>> On 3.9.2013 16:10, Bill Burke wrote:
>>> I was thinking about this a little more.  What does an admin need to
>>> create an initial social or SSO realm?  Minimally for 1st application?
>>>
>>> * Name of Realm
>>> * Name of Application
>>> * Credentials for Application (password)
>>> * Enable Social
>>> * Enable Registration
>>>
>>> So, initial page could be:
>>>
>>> New Realm Name: xxxxxxx
>>> Social X Registration X
>> There are much more options for realm, would those be accessible during
>> registration as well?
>
> They would be accessible after the initial steps.  The idea is to be 
> able to get to a working prototype as fast as possible.
>
>> It seems that we will also need something to
>> handle upload of public/private keys for particular realm to use that
>> realm?
>
> Keycloak server can generate the key pair in most cases.  We can add 
> the ability to set the pair later if asked for by users.
>
>> I wonder if it's good idea to initialize it from Keystore file,
>> which could be possibly uploaded through UI, but admin would need to
>> specify key alias/keystore password and key password in this case...
>>
>
> That could be an option, but again, I think its simpler for user if 
> keycloak server generates the key pair.
yeah, sure. Generation should be easier. I can just imagine that some 
users may want to use their own keys/cetificate.
>
>> For social registration, it seems that we will need to specify which
>> social providers will be available for each realm (For example Realm X
>> will allow to register users through Facebook or Twitter, Realm Y will
>> allow users to register users through Google etc.)
>
> Why would we have this option?  Why would users want google/fb, but 
> not twitter/yahoo?
Maybe users (I mean end-users) want everything, but keycloak 
administrator may want to restrict the registration just to some social 
networks? One of the reasons is, that if administrator wants to have 
support for particular social network, he usually needs to register an 
application in it to obtain consumerKey/consumerSecret and then he needs 
to configure it in Keycloak, so it requires some action from him.
>
>> It seems that we will
>> also need that each realm will have different combinations for
>> consumerKey/consumerSecret for particular providers (actually it's
>> shared and consumerKey/consumerSecret are initialized from system
>> properties). Not sure if we want to allow all those settings to be part
>> of Realm registration page or later during realm editing?
>>
>
> We talked before about having a global keycloak account for the Saas 
> service so that initial users would have less setup.  This of course 
> could be overriden.
Shared consumerKey/consumerSecret of some social provider for whole Saas 
(or for more realms) would mean that if end-user grant permission to 
some social provider, it will be also automatically granted to all 
applications in all realms which use the same consumerKey/consumerSecret 
for this social provider. Also some social networks have limits for max. 
number of requests, which could be easily exceeded when it's globally 
shared. But on the other hand, it may be useful for quick testing.
>
> But....
>
> We also discussed *NOT* having a SaaS service, but instead providing a 
> Openshift cartridge that could be installed.  I don't think it is 
> possible to automate account creation on these social sites.  Do you?
I don't think it's possible to automatically create accounts or 
automatically create applications (combinations of 
consumerKey/consumerSecret). At least not in social networks I know 
(Facebook, Google, Twitter). I just know that Facebook supports 
something like creating test accounts for particular registered application.

Marek
>
>



More information about the keycloak-dev mailing list