[keycloak-dev] Conceptual Questions
Stian Thorgersen
sthorger at redhat.com
Tue Mar 22 06:48:22 EDT 2016
John, we could also schedule a call next week to go trough your questions.
Would be nice to meet in either case.
On 22 Mar 2016 07:40, "Stian Thorgersen" <sthorger at redhat.com> wrote:
> That's a very long list of questions. Have you read through our
> documentation? I would hope it at least answers some of these questions. If
> not then breaking this list into smaller emails would make it easier to
> answer. Answering all these questions in one go is a fairly time consuming
> job.
>
> On 16 March 2016 at 22:35, John Dennis <jdennis at redhat.com> wrote:
>
>> I would appreciate having the following Keycloak concepts
>> explained. Many thanks in advance!
>>
>> * What are the predefined clients?
>>
>> - When, why and where are you supposed to use these predefined
>> clients?
>>
>> * What is the difference between realm roles and client roles?
>>
>> - Why are realm roles and client roles distinct?
>>
>> - How do they get assigned and for what purpose?
>>
>> - Why aren't roles always visible in the Web UI? For instance
>> the available roles drop down box is often unpopulated even
>> though they seem to be predefined in the source code. Why
>> aren't they available for assignment in the Web UI?
>>
>> * How does role mapping work?
>>
>> - What is being mapped from and being mapped to?
>>
>> - What is the intended usage for these mappings?
>>
>> * What does it mean to create a role in the Web UI? What is it
>> bound to?
>>
>> - How do roles created in the Web UI relate to the predefined
>> roles?
>>
>> - Why does the Web UI allow me to create a new role with the
>> same name as a predefined role? Are they the same role or is
>> there a collision?
>>
>> * What are effective roles?
>>
>> - How are effective roles computed?
>>
>> - In the Web UI I see lists for "Available Roles", "Assigned
>> Roles" and "Effective Roles". Sometimes I see a role in the
>> "Effective Roles" list which is not in the "Assigned Roles"
>> list. How and why does this happen?
>>
>> * What are composite roles?
>>
>> - How and where are they defined?
>>
>> - How are composite roles meant to be used?
>>
>> - When looking at a list of roles in the Web UI how does one
>> identify a single role from a composite role?
>>
>> * What is the relationship between a Keycloak role and an OAuth2
>> scope?
>>
>> * Are roles related to users in any fashion or is a role bound
>> exclusively to a client (appearing only in the client's token).
>>
>> - How do you authenticate as a user and acquire specific roles?
>>
>> - Is it because a user grants a role via an OAuth scope which
>> is then conveyed in the client token?)
>>
>> - If so how is it determined what roles a user is permitted to
>> grant?
>>
>> - For example how is an admin user created? How are the fine
>> grained admin roles bound to a user and how are these roles
>> then conveyed in the token after an admin user authenticates?
>> (see next question)
>>
>> * The ClientRegistrationAuth.requireCreate() method requires the
>> bearer token from the realm administrator to have the
>> AdminRoles.MANAGE_CLIENTS or AdminRoles.CREATE_CLIENT roles in
>> the token, specifically in the resource_access part of the
>> token, but no matter what I do to add roles in the Web UI to a
>> realm admin the token roles remain unpopulated. How do these
>> roles get assigned and propagated in the token?
>>
>> * How does a client differ from an application?
>>
>> - They seem to be closely related. How, why and when do you use
>> one vs. the other?
>>
>> - The name "application" suggests they are external
>> applications which might be secured by Keycloak but that
>> doesn't seem to be the case, rather applications seem to be
>> internal Keycloak entities. Are applications called
>> applications because they are implemented as as servlets in
>> Keycloak?
>>
>> - If so, is the reason applications are servlets is so their
>> endpoints can have their own authn and authz?
>>
>> * What are adapters?
>>
>> * What is a service account?
>>
>> - How is a service account supposed to be used and for what
>> purpose?
>>
>> - How is a service account created?
>>
>> - How is a service account authenticated?
>>
>> * How does OAuth2 client authentication work in Keycloak?
>>
>> - Are public clients authenticated? The OAuth2 spec talks a lot
>> about the server authenticating the client but if the client
>> is a public client it's not clear to me how this is done. How
>> are public clients authenticated?
>>
>>
>> --
>> John
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160322/fc8de5a8/attachment-0001.html
More information about the keycloak-dev
mailing list