[keycloak-dev] Device mgmt
Matthias Wessendorf
matzew at apache.org
Fri Jan 24 12:54:02 EST 2014
+1 on this scenario
There is a different scenario:
* the mobile app does not require an actual user (e.g. think about
something like a News-App (e.g. "ESPN Sports Ticker")), but the device
still needs to be registered w/ a server, so that the server later can use
the device metadata for sending push notifications to the iOS / Android
device. The AeroGear UnifiedPush Server is doing it (currently) via HTTP
Basic (see [1]).
Is this some scenario you are interested in supporting as well? Or is the
(current) focus more around storing 'devices' / 'device metadata' under a
real user (which is most-likely a pure enterprise use-case)?
Greetings,
Matthias
[1] http://aerogear.org/docs/specs/aerogear-push-rest/DeviceRegistration/
On Fri, Jan 24, 2014 at 5:30 PM, Bill Burke <bburke at redhat.com> wrote:
> Here's my thoughts on device mgmt, both UI and protocol:
>
> Scenario:
>
> An iOS device as a "Brokerage App" installed. The app needs to do REST
> invocations to be able to trade stocks, etc. Devices must be registered
> in order to obtain permission. Flow would look like this:
>
> * User installs app on iPad.
> * User hits login button on app.
> * User is redirected to browser with a Keycloak server URL
> * User enters in credentials
> * User is redirected to "Device Registration" page. Keycloak asks user
> if it authorizes access to the device.
> * Keycloak registers the device under the user and generates a device token
> * User is redirected back to iPad ap
> * iPad app gets auth code from redirect URL
> * iPad makes REST request to obtain auth token *AND* a device token.
> * iPad app stores the device token.
>
> Next login is the same, except there is no "grant" page displayed. The
> iPad app uses the "device token" as a credential to turn an access code
> into an access token. These are all extensions we'll need to make to
> the current OAuth protocol.
>
> UI work:
>
> The User Account Service will need a way to list registered devices so
> the user can see it and manage it (i.e. remove a registered device).
>
> Admin Console should have a way to define a "Device Type". The name,
> description and scope of the device type is defined. "name" is used in
> the initial OAuth grant as a client_id identifier so that Keycloak knows
> what to display as a description in the
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140124/41aed0cb/attachment.html
More information about the keycloak-dev
mailing list