[keycloak-user] Design concerns on automated Keycloak Client addition to a realm

Stian Thorgersen sthorger at redhat.com
Fri Mar 4 05:09:49 EST 2016


For dynamic registration of clients take a look at
http://keycloak.github.io/docs/userguide/keycloak-server/html/client-registration.html

On 4 March 2016 at 09:12, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:

> Hello,
>
> I'm trying to design a keycloak-based system that will have the following
> characteristics:
>
> * A single realm R will exist with a big set of users.
> * Users will be able to install instances of software X that consists of
> four (4) applications protected by keycloak.
> * Each application in any instance of X will have a corresponding Keycloak
> Client entity containing a set of application-level roles. Thus, having the
> appropriate role,m a user of R can selectively be granted access to any
> application of any instance of X.
> * The addition of a new instance of X to the keycloak realm (the creation
> of the Clients, client roles etc.) is called 'registration' and will be
> done using the Keycloak Admin REST API.
>
> What's the best practice to achieve automatic registration of a new
> instance to the realm?
>
> I've considered the following:
>
> a. Have the instance applications *directly* consume keycloak Admin REST
> API and create Clients and Client roles. As far as i investigated users of
> the instance will need to have a  R:realm-management:manage-clients role in
> order to do that (create-client didn't work). This seems a pretty
> permissive role to give to any user in R.
>
> b. Have a separate keycloak-protected application that won't be part of X
> to do the important work of 'registration'. It will work as a proxy. The
> application will act on behalf of an administrator user with a powerfull
> role like R:realm-management:realm-admin. The application will define it's
> own set of roles and HTTP API for instance registration. All users will
> have to go through it to register their instance. It will work as a proxy.
> But they won't need to be granted dangerous roles to do it.
>
> Any suggestion will be more than welcome.
>
> Thanks
>
> Orestis
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/47fdd57e/attachment-0001.html 


More information about the keycloak-user mailing list