[keycloak-dev] Conceptual Questions

Stian Thorgersen sthorger at redhat.com
Tue Mar 22 06:48:22 EDT 2016


John, we could also schedule a call next week to go trough your questions.
Would be nice to meet in either case.
On 22 Mar 2016 07:40, "Stian Thorgersen" <sthorger at redhat.com> wrote:

> That's a very long list of questions. Have you read through our
> documentation? I would hope it at least answers some of these questions. If
> not then breaking this list into smaller emails would make it easier to
> answer. Answering all these questions in one go is a fairly time consuming
> job.
>
> On 16 March 2016 at 22:35, John Dennis <jdennis at redhat.com> wrote:
>
>> I would appreciate having the following Keycloak concepts
>> explained. Many thanks in advance!
>>
>> * What are the predefined clients?
>>
>>    - When, why and where are you supposed to use these predefined
>>      clients?
>>
>> * What is the difference between realm roles and client roles?
>>
>>    - Why are realm roles and client roles distinct?
>>
>>    - How do they get assigned and for what purpose?
>>
>>    - Why aren't roles always visible in the Web UI? For instance
>>      the available roles drop down box is often unpopulated even
>>      though they seem to be predefined in the source code. Why
>>      aren't they available for assignment in the Web UI?
>>
>> * How does role mapping work?
>>
>>    - What is being mapped from and being mapped to?
>>
>>    - What is the intended usage for these mappings?
>>
>> * What does it mean to create a role in the Web UI? What is it
>>    bound to?
>>
>>    - How do roles created in the Web UI relate to the predefined
>>      roles?
>>
>>    - Why does the Web UI allow me to create a new role with the
>>      same name as a predefined role? Are they the same role or is
>>      there a collision?
>>
>> * What are effective roles?
>>
>>    - How are effective roles computed?
>>
>>    - In the Web UI I see lists for "Available Roles", "Assigned
>>      Roles" and "Effective Roles". Sometimes I see a role in the
>>      "Effective Roles" list which is not in the "Assigned Roles"
>>      list. How and why does this happen?
>>
>> * What are composite roles?
>>
>>    - How and where are they defined?
>>
>>    - How are composite roles meant to be used?
>>
>>    - When looking at a list of roles in the Web UI how does one
>>      identify a single role from a composite role?
>>
>> * What is the relationship between a Keycloak role and an OAuth2
>>    scope?
>>
>> * Are roles related to users in any fashion or is a role bound
>>    exclusively to a client (appearing only in the client's token).
>>
>>    - How do you authenticate as a user and acquire specific roles?
>>
>>    - Is it because a user grants a role via an OAuth scope which
>>      is then conveyed in the client token?)
>>
>>    - If so how is it determined what roles a user is permitted to
>>      grant?
>>
>>    - For example how is an admin user created? How are the fine
>>      grained admin roles bound to a user and how are these roles
>>      then conveyed in the token after an admin user authenticates?
>>      (see next question)
>>
>> * The ClientRegistrationAuth.requireCreate() method requires the
>>    bearer token from the realm administrator to have the
>>    AdminRoles.MANAGE_CLIENTS or AdminRoles.CREATE_CLIENT roles in
>>    the token, specifically in the resource_access part of the
>>    token, but no matter what I do to add roles in the Web UI to a
>>    realm admin the token roles remain unpopulated. How do these
>>    roles get assigned and propagated in the token?
>>
>> * How does a client differ from an application?
>>
>>    - They seem to be closely related. How, why and when do you use
>>      one vs. the other?
>>
>>    - The name "application" suggests they are external
>>      applications which might be secured by Keycloak but that
>>      doesn't seem to be the case, rather applications seem to be
>>      internal Keycloak entities. Are applications called
>>      applications because they are implemented as as servlets in
>>      Keycloak?
>>
>>    - If so, is the reason applications are servlets is so their
>>      endpoints can have their own authn and authz?
>>
>> * What are adapters?
>>
>> * What is a service account?
>>
>>    - How is a service account supposed to be used and for what
>>      purpose?
>>
>>    - How is a service account created?
>>
>>    - How is a service account  authenticated?
>>
>> * How does OAuth2 client authentication work in Keycloak?
>>
>>    - Are public clients authenticated? The OAuth2 spec talks a lot
>>      about the server authenticating the client but if the client
>>      is a public client it's not clear to me how this is done. How
>>      are public clients authenticated?
>>
>>
>> --
>> John
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160322/fc8de5a8/attachment-0001.html 


More information about the keycloak-dev mailing list