[keycloak-dev] Admin events questions

Marek Posolda mposolda at redhat.com
Mon May 9 10:17:58 EDT 2016 

On 09/05/16 14:56, Stian Thorgersen wrote:
>
>
> On 9 May 2016 at 14:55, Stian Thorgersen <sthorger at redhat.com 
> <mailto:sthorger at redhat.com>> wrote:
>
>
>
>     On 9 May 2016 at 12:29, Marek Posolda <mposolda at redhat.com
>     <mailto:mposolda at redhat.com>> wrote:
>
>         * Currently we support admin events just for 'success' cases.
>         We don't
>         log any error situations or missing permissions. Is it sufficient?
>
>
>     +1 To errors, create a jira for 2.0.cr1
>
https://issues.jboss.org/browse/KEYCLOAK-2982
>
>
>         * Some minor usability issues:
>         ** For both classic events and admin events, there is
>         filtering by Date
>         (from or to). Couldn't we add some "nice" component for easily
>         select
>         date? Also the "from" date is included, but "to" date is
>         excluded. This
>         may not be obvious. Shouldn't we somehow mention it in tooltips?
>
>
>     +1 PatternFly was about to add one when we did this, but it wasn't
>     ready yet. JIRA for 2.0.cr1 please.
>
https://issues.jboss.org/browse/KEYCLOAK-2983
>
>
>         ** In "Auth details" for admin events, there is filtering by
>         "Realm" ,
>         "Client" or "User". It may not be obvious, that this points to
>         IDs. To
>         be even more confusing, in "classic" events there is "Client"
>         too, but
>         that points to clientId (not database ID). Also in many
>         situations,
>         admins don't know the UserID or client database ID, so there is
>         additional action required from them that they need to lookup
>         ID it
>         first. For clients, the client database ID is not even visible
>         in admin
>         console, so they need to decode either from URL or from some
>         existing
>         event. I wonder if we should add possibility to filter by
>         "username" or
>         "clientId"? For users maybe even filtering by email? In case that
>         "username" or "email" or "clientId" is filled, admin will need
>         to fill
>         the "realm" too.
>
>
>     Events doesn't always have username, username can also change over
>     time. So user id isn't the reliable thing to use. We could add
>     something to allow looking up userid by username or something though.
>
>
> I meant user id is the only reliable thing to use. Same with 
> "client-id" it can change, so id for clients is only thing that works 
> over time.
Yeah, I meant that if you filter by username (or email or clientId), you 
will be required to fill the realm too. Then it's the responsibility of 
RealmAdminResource.getEvents to lookup user by realm+username and sent 
the found userID to EventStore for filtering by. So EventsStore will be 
unchanged and will still persist just the userId + client DB ID.

Marek
>
>         _______________________________________________
>         keycloak-dev mailing list
>         keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160509/139b1005/attachment.html

More information about the keycloak-dev mailing list