[keycloak-user] Design concerns on automated Keycloak Client addition to a realm

Orestis Tsakiridis orestis.tsakiridis at telestax.com
Wed Mar 9 09:21:25 EST 2016


Thanks for the pointers Stian.

I used this:

http://keycloak.github.io/docs/rest-api/index.html#_get_admin_realms_realm_clients_initial_access

and it worked just fine.

On Tue, Mar 8, 2016 at 8:57 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

>
>
> On 8 March 2016 at 16:03, Orestis Tsakiridis <
> orestis.tsakiridis at telestax.com> wrote:
>
>> Thanks Stian!
>>
>> Client Registration service passed under my radar (still on 1.6.1).
>>
>> I was wondering, Initial Access Tokens seem to be only generated from the
>> Administration Console. Is there a REST API for that ?
>>
>
> The admin console is just a HTML5 app calling REST APIs, so yes ;). See
> http://keycloak.github.io/docs/rest-api/index.html and you need a bearer
> token with the appropriate roles to invoke.
>
>
>>
>>
>>
>>
>>
>> On Fri, Mar 4, 2016 at 12:09 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> For dynamic registration of clients take a look at
>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/client-registration.html
>>>
>>> On 4 March 2016 at 09:12, Orestis Tsakiridis <
>>> orestis.tsakiridis at telestax.com> wrote:
>>>
>>>> Hello,
>>>>
>>>> I'm trying to design a keycloak-based system that will have the
>>>> following characteristics:
>>>>
>>>> * A single realm R will exist with a big set of users.
>>>> * Users will be able to install instances of software X that consists
>>>> of four (4) applications protected by keycloak.
>>>> * Each application in any instance of X will have a corresponding
>>>> Keycloak Client entity containing a set of application-level roles. Thus,
>>>> having the appropriate role,m a user of R can selectively be granted access
>>>> to any application of any instance of X.
>>>> * The addition of a new instance of X to the keycloak realm (the
>>>> creation of the Clients, client roles etc.) is called 'registration' and
>>>> will be done using the Keycloak Admin REST API.
>>>>
>>>> What's the best practice to achieve automatic registration of a new
>>>> instance to the realm?
>>>>
>>>> I've considered the following:
>>>>
>>>> a. Have the instance applications *directly* consume keycloak Admin
>>>> REST API and create Clients and Client roles. As far as i investigated
>>>> users of the instance will need to have a
>>>> R:realm-management:manage-clients role in order to do that (create-client
>>>> didn't work). This seems a pretty permissive role to give to any user in R.
>>>>
>>>> b. Have a separate keycloak-protected application that won't be part of
>>>> X to do the important work of 'registration'. It will work as a proxy. The
>>>> application will act on behalf of an administrator user with a powerfull
>>>> role like R:realm-management:realm-admin. The application will define it's
>>>> own set of roles and HTTP API for instance registration. All users will
>>>> have to go through it to register their instance. It will work as a proxy.
>>>> But they won't need to be granted dangerous roles to do it.
>>>>
>>>> Any suggestion will be more than welcome.
>>>>
>>>> Thanks
>>>>
>>>> Orestis
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160309/2abcb8df/attachment.html 


More information about the keycloak-user mailing list