Merge pull request #426 from patriot1burke/master

docs and master realm rename

core/src/main/java/org/keycloak/Config.java

@@ -12,7 +12,7 @@ public class Config {
     }
 
     public static String getAdminRealm() {
-        return configProvider.scope("admin").get("realm", "keycloak-admin");
+        return configProvider.scope("admin").get("realm", "master");
     }
 
     public static String getProvider(String spi) {

docbook/reference/en/en-US/master.xml

@@ -6,6 +6,7 @@
                 <!ENTITY Installation SYSTEM "modules/server-installation.xml">
                 <!ENTITY OpenShift SYSTEM "modules/openshift.xml">
                 <!ENTITY AdminPermissions SYSTEM "modules/admin-permissions.xml">
+                <!ENTITY PerRealmAdminPermissions SYSTEM "modules/per-realm-admin-permissions.xml">
                 <!ENTITY AdapterConfig SYSTEM "modules/adapter-config.xml">
                 <!ENTITY JBossAdapter SYSTEM "modules/jboss-adapter.xml">
                 <!ENTITY JavascriptAdapter SYSTEM "modules/javascript-adapter.xml">
@@ -64,6 +65,7 @@ This one is short
     &Installation;
     &OpenShift;
     &AdminPermissions;
+    &PerRealmAdminPermissions;
     <chapter>
         <title>Adapters</title>
         <para>

docbook/reference/en/en-US/modules/Overview.xml

@@ -23,6 +23,10 @@
                 Social Login.  Enable Google, GitHub, Facebook, Twitter social login with no code required.
             </listitem>
 
+            <listitem>
+                LDAP and Active Directory support.
+            </listitem>
+
             <listitem>
                 Optional User Registration
             </listitem>
@@ -32,7 +36,25 @@
             </listitem>
 
             <listitem>
-                Pluggable theme and style support for user facing screens.
+                Forgot password support.  User can have an email sent to them
+            </listitem>
+
+            <listitem>
+                Reset password/totp.  Admin can force a password reset, or set up a temporary password.
+            </listitem>
+
+            <listitem>
+                Not-before revocation policies per realm, application, or user.
+            </listitem>
+
+            <listitem>
+                User session management.  Admin can view user sessions and what applications/clients have an access token.  Sessions can be invalidated
+                per realm or per user.
+            </listitem>
+
+            <listitem>
+                Pluggable theme and style support for user facing screens. Login, grant pages, account mgmt, and admin console all
+                can be styled, branded, and tailored to your application and organizational needs.
             </listitem>
 
             <listitem>
@@ -64,11 +86,14 @@
                 Admin Console for managing users, roles, role mappings, applications, user sessions, allowed CORS web origins, and OAuth clients.
             </listitem>
             <listitem>
-                Account Management console that allows users to manage their own account
+                Account Management console that allows users to manage their own account, view their open sessions, reset passwords, etc.
             </listitem>
             <listitem>
                 Deployable as a WAR, appliance, or on Openshift.
             </listitem>
+            <listitem>
+                Multitenancy support.  You can host and manage multiple realms for multiple organizations.
+            </listitem>
             <listitem>
                 Supports JBoss AS7, EAP 6.x, Wildfly and JavaScript applications.  Plans to support Node.js, RAILS, GRAILS, and other non-Java deployments
             </listitem>
@@ -100,7 +125,7 @@
     <section>
         <title>How Does Security Work in Keycloak?</title>
         <para>
-            Keycloak uses <emphasis>access tokens</emphasis>.  Access tokens contains security metadata specifying the
+            Keycloak uses <emphasis>access tokens</emphasis> to secure web invocations.  Access tokens contains security metadata specifying the
             identity of the user as well as the role mappings for that user.  The format of these tokens is a Keycloak
             extension to the <ulink url="http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-14">JSON Web Token</ulink> specification.  Each realm  has a private and public key pair
             which it uses to digitally sign the access token using the <ulink url="http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-19">JSON Web Signature</ulink> specification.
@@ -114,7 +139,7 @@
             no need for them to store any security metadata locally other than the public key of the realm.
         </para>
         <para>
-            Signed access tokens can also be proprogated by REST client requests within an <literal>Authorization</literal>
+            Signed access tokens can also be propagated by REST client requests within an <literal>Authorization</literal>
             header.  This is great for distributed integration as applications can request a login from a client to obtain
             an access token, then invoke any aggregated REST invocations to other services using that access token.  So,
             you have a distributed security model that is centrally managed, yet does not require a Keycloak Server hit

docbook/reference/en/en-US/modules/admin-permissions.xml

@@ -1,13 +1,20 @@
 <chapter id="admin-permissions">
-    <title>Admin Access Control</title>
+    <title>Master Admin Access Control</title>
     <para>
-        Access to The Admin Console and REST endpoints can be controlled by mapping roles to users in the <literal>keycloak-admin</literal> realm.
+        You can create and manage multiple realms by logging into the <literal>master</literal> Keycloak admin console
+        at <literal>/{keycloak-root/admin/index.html</literal>
+    </para>
+    <para>
+        Users in the Keycloak <literal>master</literal> realm can be granted permission to manage zero or more realms that are
+        deployed on the Keycloak server.  When a realm is created, Keycloak automatically creates various roles that grant fine-grain
+        permissions to access that new realm.
+        Access to The Admin Console and REST endpoints can be controlled by mapping these roles to users in the <literal>master</literal> realm.
         It's possible to create multiple super users as well as users that have only access to certain operations in specific realms.
     </para>
     <section>
         <title>Global Roles</title>
         <para>
-            There are two realm roles in the <literal>keycloak-admin</literal> realm. These are:
+            There are two realm roles in the <literal>master</literal> realm. These are:
             <itemizedlist>
                 <listitem>
                     <literal>admin</literal> - This is the super-user role and grants permissions to all operations on all realms
@@ -18,7 +25,7 @@
             </itemizedlist>
         </para>
         <para>
-            To add these roles to a user select the <literal>keycloak-admin</literal> realm, then click on <literal>Users</literal>.
+            To add these roles to a user select the <literal>master</literal> realm, then click on <literal>Users</literal>.
             Find the user you want to grant permissions to, open the user and click on <literal>Role Mappings</literal>. Under
             <literal>Realm Roles</literal> assign any of the above roles to the user by selecting it and clicking on the right-arrow.
         </para>
@@ -27,7 +34,7 @@
     <section>
         <title>Realm Specific Roles</title>
         <para>
-            Each realm in Keycloak is represented by an application in the <literal>keycloak-admin</literal> realm. The name of the application
+            Each realm in Keycloak is represented by an application in the <literal>master</literal> realm. The name of the application
             is <literal>&lt;realm name&gt;-realm</literal>. This allows assigning access to users for individual realms. The
             roles available are:
             <itemizedlist>
@@ -60,10 +67,10 @@
             Manage roles includes permissions to view (for example a user with manage-realm role can also view the realm configuration).
         </para>
         <para>
-            To add these roles to a user select the <literal>keycloak-admin</literal> realm, then click on <literal>Users</literal>.
+            To add these roles to a user select the <literal>master</literal> realm, then click on <literal>Users</literal>.
             Find the user you want to grant permissions to, open the user and click on <literal>Role Mappings</literal>. Under
             <literal>Application Roles</literal> select the application that represents the realm you're adding permissions to
             (<literal>&lt;realm name&gt;-realm</literal>), then assign any of the above roles to the user by selecting it and clicking on the right-arrow.
         </para>
     </section>
-</chapter>
+</chapter>

docbook/reference/en/en-US/modules/per-realm-admin-permissions.xml

@@ -0,0 +1,59 @@
+<chapter id="per-realm-admin-permissions">
+    <title>Per Realm Admin Access Control</title>
+    <para>
+        Administering your realm through the <literal>master</literal> realm as discussed in <xref linkend="admin-permissions" /> may not always be
+        ideal or feasible.  For example, maybe you have more than one admin application that manages various admin aspects of your organization
+        and you want to unify all these different "admin consoles" under one realm so you can do SSO between them.  Keycloak allows you to
+        grant realm admin privleges to users within that realm.  These realm admins can participate in SSO for that realm and
+        visit a keycloak admin console instance that is dedicated solely for that realm by going to the url:
+        <literal>/{keycloak-root}/admin/{realm}/console</literal>
+    </para>
+    <section>
+        <title>Realm Roles</title>
+        <para>
+            Each realm has a built-in application called <literal>realm-management</literal>.  This application defines
+            roles that define permissions that can be granted to manage the realm.
+            <itemizedlist>
+                <listitem>
+                    <literal>realm-admin</literal> - This is a composite role that grants all admin privileges for managing
+                    security for that realm.
+                </listitem>
+            </itemizedlist>
+            These are more fine-grain roles you can assign to the user.
+
+            <itemizedlist>
+                <listitem>
+                    <literal>view-realm</literal> - View the realm configuration
+                </listitem>
+                <listitem>
+                    <literal>view-users</literal> - View users (including details for specific user) in the realm
+                </listitem>
+                <listitem>
+                    <literal>view-applications</literal> - View applications in the realm
+                </listitem>
+                <listitem>
+                    <literal>view-clients</literal> - View clients in the realm
+                </listitem>
+
+                <listitem>
+                    <literal>manage-realm</literal> - Modify the realm configuration (and delete the realm)
+                </listitem>
+                <listitem>
+                    <literal>manage-users</literal> - Create, modify and delete users in the realm
+                </listitem>
+                <listitem>
+                    <literal>manage-applications</literal> - Create, modify and delete applications in the realm
+                </listitem>
+                <listitem>
+                    <literal>manage-clients</literal> - Create, modify and delete clients in the realm
+                </listitem>
+            </itemizedlist>
+            Manage roles includes permissions to view (for example a user with manage-realm role can also view the realm configuration).
+        </para>
+        <para>
+            To add these roles to a user select the realm you want. Then click on <literal>Users</literal>.
+            Find the user you want to grant permissions to, open the user and click on <literal>Role Mappings</literal>. Under
+            <literal>Application Roles</literal> select <literal>realm-management</literal>, then assign any of the above roles to the user by selecting it and clicking on the right-arrow.
+        </para>
+    </section>
+</chapter>

docbook/reference/en/en-US/modules/server-installation.xml

@@ -56,8 +56,8 @@ keycloak-appliance-dist-all-1.0-beta-1-SNAPSHOT/
             <literal>standalone.bat</literal>
             script is used to start the server.
             After executing that, log into the admin console at<ulink
-                url="http://localhost:8080/auth/rest/admin/login">
+                url="http://localhost:8080/auth/admin/index.html">
-            http://localhost:8080/auth/rest/admin/login</ulink>.
+            http://localhost:8080/auth/admin/index.html</ulink>.
             Username: <emphasis>admin</emphasis>
             Password: <emphasis>admin</emphasis>. Keycloak will then prompt you to
             enter in a new password.
@@ -107,8 +107,11 @@ keycloak-war-dist-all-1.0-beta-1-SNAPSHOT/
         </para>
         <para>
             After booting up the JBoss or Wildfly distro, you can then make sure it is installed properly
-            by logging into the admin console at<ulink url="http://localhost:8080/auth/admin">http://localhost:8080/auth/admin</ulink>.
+            by logging into the admin console at<ulink
-            Username: <emphasis>admin</emphasis>, Password: <emphasis>admin</emphasis>. Keycloak will then prompt you to
+                url="http://localhost:8080/auth/admin/index.html">
+            http://localhost:8080/auth/admin/index.html</ulink>.
+            Username: <emphasis>admin</emphasis>
+            Password: <emphasis>admin</emphasis>. Keycloak will then prompt you to
             enter in a new password.
         </para>
     </section>
@@ -315,6 +318,7 @@ keycloak-war-dist-all-1.0-beta-1-SNAPSHOT/
 <programlisting>
     WARN  [org.jboss.resteasy.core.ResourceLocator] (http-/127.0.0.1:8080-3)
                 Field providers of subresource xxx will not be injected according to spec
+
 </programlisting>
 
             <para>

project-integrations/aerogear-ups/auth-server/src/main/webapp/WEB-INF/keycloak-server.json

@@ -1,6 +1,6 @@
 {
     "admin": {
-        "realm": "keycloak-admin"
+        "realm": "master"
     },
 
     "model": {

server/src/main/resources/META-INF/keycloak-server.json

@@ -1,6 +1,6 @@
 {
     "admin": {
-        "realm": "keycloak-admin"
+        "realm": "master"
     },
 
     "audit": {

testsuite/integration/src/main/resources/META-INF/keycloak-server.json

@@ -1,6 +1,6 @@
 {
     "admin": {
-        "realm": "keycloak-admin"
+        "realm": "master"
     },
 
     "audit": {