[keycloak-dev] New Account Management Console and Account REST api

Thomas Connolly thomas_connolly at yahoo.com
Thu Mar 23 19:02:50 EDT 2017


Hi Stian
Our scenario is that we do not want to expose the admin UI externally.This opens the system to an external exploit.
At the moment we have two options,1) Block, via a rule on the load balancer port / (partial) path2) Change / hack the KeycloakSessionServletFilter to block external requests
Note we had to implement 2 as the company policies for the LB didn't allow path based rules.The issue has been raised previously...https://issues.jboss.org/browse/KEYCLOAK-2944

RegardsTom Connolly
Message: 5
Date: Thu, 23 Mar 2017 13:00:56 -0400
From: Stan Silvert <ssilvert at redhat.com>
Subject: Re: [keycloak-dev] New Account Management Console and Account
    REST api
To: keycloak-dev at lists.jboss.org
Message-ID: <fdd8b93c-a6a4-193e-ad4a-41e7447772c4 at redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed

On 3/23/2017 8:28 AM, Thomas Connolly wrote:
> Hi All
> Could this UI and API be put on a separate port please?
It's still very early in development, but you will probably have the 
option of putting it on a different port and even a different server.  
Of course, the default will be to sill run it as you do today.

But I'm interested in your use case.  Why do you need it on a different 
port?

> RegardsTom.-----------------------------------
>
> Message: 1Date: Fri, 17 Mar 2017 08:25:47 -0700
> From: Tair Sabirgaliev <tair.sabirgaliev at gmail.com>
> Subject: Re: [keycloak-dev] New Account Management Console and Account
>      REST    api
> To: Stan Silvert <ssilvert at redhat.com>, stian at redhat.com
> Cc: keycloak-dev <keycloak-dev at lists.jboss.org>
> Message-ID:
>      <CAGU3vRfYkUjsoZMdyTz25HFAE0+P+Yfn69X1wG1_SdBqNwAW3w at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> +1 for Angular2, this will make maintenance and customisation easier.
> The framework becomes very popular and close to ?JavaEE mindset?.
>
> On 17 March 2017 at 18:19:23, Stan Silvert (ssilvert at redhat.com) wrote:
>
> On 3/17/2017 8:09 AM, Stian Thorgersen wrote:
>> Had another idea. We could quite easily make it possible to configure
>> the "account management url" for a realm. That would let folks
>> redirect to external account management console if they want to
>> completely override it.
> That would also mean that our own account management console could be
> served from anywhere or even installed locally on the client machine.
>> On 17 March 2017 at 13:08, Stian Thorgersen <sthorger at redhat.com
>> <mailto:sthorger at redhat.com>> wrote:
>>
>> I'm going to call it "YetAnotherJsFramework" ;)
>>
>> On 17 March 2017 at 12:54, Stan Silvert <ssilvert at redhat.com
>> <mailto:ssilvert at redhat.com>> wrote:
>>
>> On 3/17/2017 5:47 AM, Stian Thorgersen wrote:
>>> As we've discussed a few times now the plan is to do a brand
>> new account
>>> management console. Instead of old school forms it will be
>> all modern using
>>> HTML5, AngularJS and REST endpoints.
>> One thing. That should be "Angular", not "AngularJS". Just to
>> educate everyone, here is what's going on in Angular-land:
>>
>> AngularJS is the old framework we used for the admin console.
>> Angular is the new framework we will use for the account
>> management console.
>>
>> Most of you know the new framework as Angular2 or ng-2, but
>> the powers
>> that be want to just call it "Angular". This framework is
>> completely
>> rewritten and really has no relation to AngularJS, except they
>> both come
>> from Google and both have "Angular" in the name.
>>
>> To avoid confusion, I'm going to call it "Angualr2" for the
>> foreseeable
>> future.
>>> The JIRA for this work is:
>>> https://issues.jboss.org/browse/KEYCLOAK-1250
>> <https://issues.jboss.org/browse/KEYCLOAK-1250>
>>> We where hoping to get some help from the professional UXP
>> folks for this,
>>> but it looks like that may take some time. In the mean time
>> the plan is to
>>> base it on the following template:
>>>
>>>
>> https://rawgit.com/andresgalante/kc-user/master/layout-alt-fixed.html#
>> <https://rawgit.com/andresgalante/kc-user/master/layout-alt-fixed.html#>
>>> Also, we'll try to use some newer things from PatternFly
>> patterns to
>>> improve the screens.
>>>
>>> First pass will have the same functionality and behavior as
>> the old account
>>> management console. Second pass will be to improve the
>> usability (pages
>>> like linking, sessions and history are not very nice).
>>>
>>> We will deprecate the old FreeMarker/forms way of doing
>> things, but keep it
>>> around so it doesn't break what people are already doing.
>> This can be
>>> removed in the future (probably RHSSO 8.0?).
>>>
>>> We'll also need to provide full rest endpoints for the
>> account management
>>> console. I'll work on that, while Stan works on the UI.
>>>
>>> As the account management console will be a pure HTML5 and
>> JS app anyone
>>> can completely replace it with a theme. They can also
>> customize it a lot.
>>> We'll also need to make sure it's easy to add additional
>> pages/sections.
>>> Rather than just add to AccountService I'm going to rename that
>>> to DeprecatedAccountFormService remove all REST from there
>> and add a new
>>> AccountService that only does REST. All features available
>> through forms at
>>> the moment will be available as REST API, with the exception
>> of account
>>> linking which will be done through Bills work that was
>> introduced in 3.0
>>> that allows applications to initiate the account linking.
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>> <mailto:keycloak-dev at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>>
>>
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list