[keycloak-user] Design concerns on automated Keycloak Client addition to a realm
Stian Thorgersen
sthorger at redhat.com
Tue Mar 8 13:57:50 EST 2016
On 8 March 2016 at 16:03, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:
> Thanks Stian!
>
> Client Registration service passed under my radar (still on 1.6.1).
>
> I was wondering, Initial Access Tokens seem to be only generated from the
> Administration Console. Is there a REST API for that ?
>
The admin console is just a HTML5 app calling REST APIs, so yes ;). See
http://keycloak.github.io/docs/rest-api/index.html and you need a bearer
token with the appropriate roles to invoke.
>
>
>
>
>
> On Fri, Mar 4, 2016 at 12:09 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> For dynamic registration of clients take a look at
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/client-registration.html
>>
>> On 4 March 2016 at 09:12, Orestis Tsakiridis <
>> orestis.tsakiridis at telestax.com> wrote:
>>
>>> Hello,
>>>
>>> I'm trying to design a keycloak-based system that will have the
>>> following characteristics:
>>>
>>> * A single realm R will exist with a big set of users.
>>> * Users will be able to install instances of software X that consists of
>>> four (4) applications protected by keycloak.
>>> * Each application in any instance of X will have a corresponding
>>> Keycloak Client entity containing a set of application-level roles. Thus,
>>> having the appropriate role,m a user of R can selectively be granted access
>>> to any application of any instance of X.
>>> * The addition of a new instance of X to the keycloak realm (the
>>> creation of the Clients, client roles etc.) is called 'registration' and
>>> will be done using the Keycloak Admin REST API.
>>>
>>> What's the best practice to achieve automatic registration of a new
>>> instance to the realm?
>>>
>>> I've considered the following:
>>>
>>> a. Have the instance applications *directly* consume keycloak Admin REST
>>> API and create Clients and Client roles. As far as i investigated users of
>>> the instance will need to have a R:realm-management:manage-clients role in
>>> order to do that (create-client didn't work). This seems a pretty
>>> permissive role to give to any user in R.
>>>
>>> b. Have a separate keycloak-protected application that won't be part of
>>> X to do the important work of 'registration'. It will work as a proxy. The
>>> application will act on behalf of an administrator user with a powerfull
>>> role like R:realm-management:realm-admin. The application will define it's
>>> own set of roles and HTTP API for instance registration. All users will
>>> have to go through it to register their instance. It will work as a proxy.
>>> But they won't need to be granted dangerous roles to do it.
>>>
>>> Any suggestion will be more than welcome.
>>>
>>> Thanks
>>>
>>> Orestis
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/67502cf7/attachment-0001.html
More information about the keycloak-user
mailing list