[keycloak-dev] Am I doing this right?

[Stian Thorgersen]

----- Original Message -----
> From: "Stan Silvert" <ssilvert at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Thursday, 14 May, 2015 6:31:38 PM
> Subject: [keycloak-dev] Am I doing this right?
> 
> Temporary home for Keycloak/Elytron integration is here:
> https://github.com/ssilvert/keycloak-elytron-temp
> 
> In looking back over it, I realize I need to ask some general questions.
> 
> The way the initial realm implementation works is that I implement the
> Elytron realm interface.  Whenever Elytron asks for a user
> authentication, it calls out to a Keycloak server to validate credentials.
> 
> The way I'm doing that right now is to use a Direct Access Grant.  I
> adapted some of Bill's code for this purpose:
> https://github.com/ssilvert/keycloak-elytron-temp/blob/master/realm-impl/src/main/java/org/keycloak/elytron/realm/DirectGrantLogin.java
> 
> On the Keycloak side, this requires allowing direct access grants on the
> realm and defining a direct access client.  Is there any reason why
> someone would not want to do this?   If so, should I provide some
> alternate means of authentication?

Depends on the use-case. If it's web based it should use redirects, not direct grant. Elytron has to support redirect based authentication as well.

If it's not web based (cli, etc) and it's authenticating a user it should be direct grant. Although it needs to make sure the token is used (and not storing username/password). Direct grant is a way to obtain a token with a users credentials, not really a mechanism to verify user credentials.

If it's not web based and it's authenticating a client it should not use direct grant. It should use client credentials grant (I think it's called) and authenticate with certificates or signed jwt's.

> 
> Stan
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>