[keycloak-dev] Few Questions on usage

Bill Burke bburke at redhat.com
Mon May 21 09:21:12 EDT 2018 

On Mon, May 21, 2018 at 9:00 AM, gambol <gambol99 at gmail.com> wrote:
> Hiya
>
> Apologizes for the wide range questions .. but figured a number for be
> useful for the user base.
>
> - Using the current scripted authentication in Authentication Flows would
> it possible to use script to say if clientid == x and user have role x,
> permitted else not. Also do you have a repo with some examples of scripts?
> similar to https://github.com/auth0/rules
>

Yes, you could do that.  No repo, sorry.  This was a community
contribution and we don't have much more than basic docs.

> - Will the scripting always be global level, or is there any plan to make
> it per client? or perhaps a better question would be will authentication
> flow always be at the realm level.
>

You can assign a specific authentiction flow to a specific client, but
we do not have anything like "step up" authentication yet.

> - Assuming a realm with multiple identity providers, is there any means by
> which a client and enforce that a use came in via a specific identity
> provider? or if i come in via provider x they need to use MFA (would this
> be done with a Post Login Flow on the provider perhaps?).
>

That might work, but post login flow was implemented mainly to resolve
import from external provider.

> - Is the any plans to make Groups per client and under the client ui? as
> for realms which have many disassociated applications but common user bases
> it makes it easier for them to manage.
>

You are the first to ask, but we should do something similar to what
was done for roles.

> - Are the any plans to expose metrics (or perhaps they are already
> exposed)? via jmx, stats, prometheus etc .. around logins, successful,
> failed etc, any latency measures on identity providers, infinispan /
> database operations etc
>

Something that should be scheduled.  We have audit logs for all
different types of events, but I'm pretty sure we don't tabulate any
of it.  We have basic generic metrics that any "application server"
would provide through Wildfly.

> - Is there any way to turn off the internal passwords and force via
> identity provider? .. i guess this is where scripting becomes useful .. i.e
> if client = y get the provider name and deny if not y etc
>

Elaborate?  Not sure what you mean.Not understanding this one.


-- 
Bill Burke
Red Hat

More information about the keycloak-dev mailing list