[keycloak-user] Custom REST endpoint not associated with a REALM

Dmitry Telegin demetrio at carretti.pro
Fri May 31 13:50:05 EDT 2019 

Hello Michael,

In Keycloak, custom REST endpoints are realm-bound by design. But you can use master realm to emulate "realm-independent" endpoints, since master is a special realm that is guaranteed to always exist (unless you decide to break Keycloak by manually deleting it :)

In fact, it's not about REST endpoints only. The rule of thumb is, if you need to implement something realm-independent (or "global") in Keycloak, but the API requires a realm, use master realm for that.

Regarding reliability and maintainability of this approach, please check out this thread [1]. When implementing yet another KC extension that needed to be "global", I became a bit concerned with the usage of master realm for that, but Stian actually confirmed that would be pretty safe.

[1] http://lists.jboss.org/pipermail/keycloak-dev/2018-November/011349.html

Good luck!
Dmitry Telegin

Carretti Consulting OÜ | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro

On Fri, 2019-05-31 at 15:31 +0000, Michael Dailous wrote:
> Is there anyone that can provide some guidance on this?
> 
> Michael
> 
> -----Original Message-----
> Date: Thu, 30 May 2019 17:45:12 +0000
> From: Michael Dailous <mdailous at forensiclogic.com>
> Subject: [keycloak-user] Custom REST endpoint not associated with a
> 	specific	REALM
> To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> Message-ID:
> 	<BYAPR09MB2549F8DA4ED6A39523363562D6180 at BYAPR09MB2549.namprd09.prod.outlook.com>
> 	
> Content-Type: text/plain; charset="us-ascii"
> 
> Hi,
> 
> We are looking to implement a REST endpoint that will be used to query the REALM information associated with a specified user. The REST endpoint will be publicly available and used as part of the Authentication process, identifying which Keycloak REALM should be used during the client authentication process. We've created REST endpoints that are available through a REALM, such as "/auth/realms/master/admin-extensions/...". Those specific REALMs are accessed post authentication. For this REST endpoint, we're looking to access it generically pre authentication.
> Is it possible to create a custom REST endpoint that's not associated with a specific REALM?
> 
> Thanks,
> Michael
> 
> 
> ------------------------------
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list