Skip to content

Instantly share code, notes, and snippets.

@matzew

matzew/gist:ed0055000a8347488a37

Forked from sebastienblanc/gist:6547605
Last active August 29, 2015 14:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save matzew/ed0055000a8347488a37 to your computer and use it in GitHub Desktop.
Save matzew/ed0055000a8347488a37 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.md

User Management via Keycloak for the AeroGear Unfied Push Server

Introduction

The goal of this document is to describe how the User Management (based on Keycloak) will be implemented in the UnifiedPush Server. Currently there is only one user (admin) created by default when installing UPS. Having the possibility to create multiple (non-admin) users via the Keycloak Admin Console is a Must Have. Some roles should also be introduced.

Roles / Permissions

There will be two different roles in this first version:

  • admin : There is a single admim, which is like the +super user+. The admin has read/write access to all Applications/Variants of the other users, including possiblity to send push messages. Besides accessing UPS features, the admin is the only user that is allowed to acces the Keycloak Admin UI (e.g. to create new users).
  • developer : It is possible to have multiple users that have the developer role. Each of them can create/read/update and delete only their own Applications/Variants. There is +NO+ option to access the Keycloak Admin UI.
Role / action CRUD Reset App/Variant secrets send a push Sees Apps/Variants of all sers Keycloak Admin UI
Admin X X X X X
Developer X X X

User management flow

The admin can create new user using the Keycloak Admin UI: http://aerogear.org/docs/unifiedpush/ups_userguide/server-administration/#_user_management

Password Management

At creation, the user will have an initial password.

First Login

When logging in for this first, the new created user will be prompted to change his password. This is a feature of Keycloak.

Reset Password Instruction

If a user wants to reset his password, he can do that on the Account Management section of the UnifiedPush Server: http://aerogear.org/docs/unifiedpush/ups_userguide/admin-ui/#_account_management

Security Implementation

Currently the single user (admin) sees only his Applications and Variants: https://github.com/aerogear/aerogear-unifiedpush-server/blob/master/jaxrs/src/main/java/org/jboss/aerogear/unifiedpush/rest/registry/applications/PushApplicationEndpoint.java#L88

This needs to be changed, as discussed in the Roles / Permissions section:

  • admin sees all: The service should query all, if the role/username is admin
  • developer roles sees only his (like is today)

Enabled default users

Currently the admin user is the only user. It would be nice if, by default, there was already one developer user created when installing the UPS. However this user should not be enabled by default. Would be nice if the admin would have to explicitly enable it through the Keycloak Console.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment