[keycloak-user] Custom REST endpoint not associated with a REALM
Michael Dailous
mdailous at forensiclogic.com
Fri May 31 14:08:27 EDT 2019
Thanks for the response Dmitry.
After reviewing the link provided, I understand the design and feel more comfortable with using Master as the 'global' interface moving forward. This really simplifies the implementation, too, as I have experience creating custom REST endpoints in Keycloak. Very exciting!!!
Thanks again,
Michael
-----Original Message-----
From: Dmitry Telegin <demetrio at carretti.pro>
Sent: Friday, May 31, 2019 10:50 AM
To: Michael Dailous <mdailous at forensiclogic.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Custom REST endpoint not associated with a REALM
Hello Michael,
In Keycloak, custom REST endpoints are realm-bound by design. But you can use master realm to emulate "realm-independent" endpoints, since master is a special realm that is guaranteed to always exist (unless you decide to break Keycloak by manually deleting it :)
In fact, it's not about REST endpoints only. The rule of thumb is, if you need to implement something realm-independent (or "global") in Keycloak, but the API requires a realm, use master realm for that.
Regarding reliability and maintainability of this approach, please check out this thread [1]. When implementing yet another KC extension that needed to be "global", I became a bit concerned with the usage of master realm for that, but Stian actually confirmed that would be pretty safe.
[1] http://lists.jboss.org/pipermail/keycloak-dev/2018-November/011349.html
Good luck!
Dmitry Telegin
Carretti Consulting OÜ | Keycloak Consulting and Training Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro
On Fri, 2019-05-31 at 15:31 +0000, Michael Dailous wrote:
> Is there anyone that can provide some guidance on this?
>
> Michael
>
> -----Original Message-----
> Date: Thu, 30 May 2019 17:45:12 +0000
> From: Michael Dailous <mdailous at forensiclogic.com>
> Subject: [keycloak-user] Custom REST endpoint not associated with a
> specific REALM
> To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> Message-ID:
>
> <BYAPR09MB2549F8DA4ED6A39523363562D6180 at BYAPR09MB2549.namprd09.prod.ou
> tlook.com>
>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi,
>
> We are looking to implement a REST endpoint that will be used to query the REALM information associated with a specified user. The REST endpoint will be publicly available and used as part of the Authentication process, identifying which Keycloak REALM should be used during the client authentication process. We've created REST endpoints that are available through a REALM, such as "/auth/realms/master/admin-extensions/...". Those specific REALMs are accessed post authentication. For this REST endpoint, we're looking to access it generically pre authentication.
> Is it possible to create a custom REST endpoint that's not associated with a specific REALM?
>
> Thanks,
> Michael
>
>
> ------------------------------
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list