[keycloak-dev] Feedback on Client Registration CLI
Marko Strukelj
mstrukel at redhat.com
Fri Jul 22 06:11:35 EDT 2016
I don't have kcreg.bat yet ... contributions welcome :)
Making it part of keycloak server distro makes sense. OTOH I believe we
have some developers that just deal with HTML5 web apps who don't have
Keycloak Server installed locally. If that was the only way to get kcreg
they would have to download the whole server just to get the tool. For them
it makes sense to also have a separate CLI Tools download.
On Fri, Jul 22, 2016 at 9:40 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:
> One more:
>
> * How should we distribute it? I propose we just add kcreg.sh/kcreg.bat +
> the JAR to the bin directory of the server
>
> On 22 July 2016 at 09:33, Stian Thorgersen <sthorger at redhat.com> wrote:
>
>> A few questions from me:
>>
>> * Is it possible to view the returned JSON when creating and updating a
>> client? This contains values filled in by the server, including the
>> registration access token.
>> * Should we not enable pretty print by default?
>> * --cache isn't the most intuitive name, I don't have a better suggestion
>> though
>> * Docs should be moved to Gitbook "Securing Clients and Applications
>> guide"
>> * When creating clients and later updating them I assume it uses the
>> registration access token from the cache?
>> * A nice addition would be the ability to list attributes from
>> ClientRepresentation so it's easy to discover what attributes can be set
>> * What about setting/changing complex attributes, how does that look
>> like? Can we add/remove to an array? Add/remove elements to a complex
>> object? Something like JSON patch could be nice
>> https://tools.ietf.org/html/rfc6902
>>
>> On 22 July 2016 at 09:26, Stian Thorgersen <sthorger at redhat.com> wrote:
>>
>>> It should be fairly easy to add support for OTP as well as the direct
>>> grant supports that. The user would have to specify to use OTP though.
>>>
>>> On 21 July 2016 at 19:15, Bruno Oliveira <bruno at abstractj.org> wrote:
>>>
>>>> Nice work Marko! I had two (not big deal) questions. First, when you
>>>> specify the --cache parameters as you did for SAML, could the cache
>>>> file be omitted?
>>>>
>>>> For example: kcreg --cache -r saml-realm ...
>>>>
>>>> I was thinking that once you specified the realm name, the API will just
>>>> look for ~/.keycloak/saml-realm.cache. It's just an idea.
>>>>
>>>> Second question, is more like something to think if worth to take
>>>> into consideration. Most of the examples that I saw, make use of
>>>> username/password. But if the admin enables two factor authentication,
>>>> she might be unable to use our client-reg CLI, or enforce weaken
>>>> security only
>>>> to make use of the CLI.
>>>>
>>>> Is OTP support planned for further iterations?
>>>>
>>>>
>>>> On 2016-07-21, Marko Strukelj wrote:
>>>> > And if anyone wants to get their feet wet already:
>>>> >
>>>> >
>>>> https://github.com/mstruk/keycloak/tree/cli-reg/integration/client-registration-cli-tool
>>>> >
>>>> >
>>>> > On Thu, Jul 21, 2016 at 4:06 PM, Stian Thorgersen <
>>>> sthorger at redhat.com>
>>>> > wrote:
>>>> >
>>>> > > Great work Marko!
>>>> > >
>>>> > > As we didn't have time to go through feedback let's use this thread
>>>> for
>>>> > > it. Add your questions and comments here please.
>>>> > >
>>>> > > _______________________________________________
>>>> > > keycloak-dev mailing list
>>>> > > keycloak-dev at lists.jboss.org
>>>> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>> > >
>>>>
>>>> > _______________________________________________
>>>> > keycloak-dev mailing list
>>>> > keycloak-dev at lists.jboss.org
>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>>
>>>> --
>>>>
>>>> abstractj
>>>> PGP: 0x84DC9914
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160722/268394ad/attachment.html
More information about the keycloak-dev
mailing list