[keycloak-dev] REST based identity management

Bill Burke bburke at redhat.com
Thu Feb 12 09:07:09 EST 2015 

We will probably eventually merge the concepts of an OAUth client and a 
Application.  Right now, Oauth clients require a consent page and 
applications do not.  OAuth clients also have different default settings 
than applications.  Applications tend to be more trusted entities.  That 
was the idea when Keycloak started.

The Admin REST API can be used to determine anything you want.  Our 
admin console uses this REST API.  WE have javadoc-like REST API docs on 
our website.  Might not be the best documentation, but its all we got 
right now.

Having a different application gather credentials and provide screens is 
really counter to the spirit of Keycloak.  Looks like we will have to 
support this use case though.

On 2/11/2015 4:03 PM, Reza Rasouli wrote:
> Hi,
>
> regarding multi-tenancy in keycloak, where each tenant maps to a realm,
> I wanted to ask for help on clarifying some key concepts in keycloak for
> aid in implementing a simple REST based identity management POC.
>
> Imagine there is a requirement for a multi-tenant environment where user
> registration (=creation) , user login, user logout and knowing whether a
> user is still logged in or not must be done over some wrapper REST
> service which exposes the mentioned functionality to outside world.
>
> With KeyCloak being deployed in a private network, I have written some
> wrapper REST service which does create users for a desired tenant
> (=realm), and this wrapper service itself calls KeyCloak's "*Direct
> Grant API*" from an *OAuth* Client with *Super-User* Credentials both
> defined in the "*master*" realm having sufficient privileges over all
> realms (as defined by the documentation in"Chapter 17. Admin REST API").
>
> Now I want to be able to wrap the logging-in and logging-out process of
> a user into a tenant in the same way as user creation, which I don't
> know how to work around this scenario exactly
>
> there are some different questions in my head, regarding the situation
> explained in my head which I wanted to ask :
>
>   * to be able to log a user in/out, _through  a wrapper rest service_ ,
>     /which has been passed the user credential to and wants to use
>     KeyCloak REST APIs/, should I create an OAuth client per each realm
>     and login/log out the user, using the related OAuth client in each
>     realm ?
>   * Which REST API provides information on whether a specific user is
>     already logged in or not on a specific realm?
>   * How "Application" concept in keycloak differs from "OAuth Client"
>     and does it make sense to log a user to an application (over REST
>     API), if yes how this is  different  from logging a user into a
>     realm with OAuth Client ?
>
> Thanks Alot,
> I really appreciate your help.
>
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list