<div dir="ltr">Only watched a bit of it, but it seems like a headache to maintain. As it's completely decentralized how do you manage what service can access what service. Imagine if you know one service that can access 100 other services is compromised and you then have to remove it's public keys everywhere.<div><br></div><div>Having a centralized solution like Keycloak is much better. You have a centralized point of controlling what services can access what services. You have a single place where you need to protect the private key. You can much more easily remove access to a compromised service.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 24 August 2016 at 09:57, Thomas Darimont <span dir="ltr"><<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hello,<br></div><div><br></div><div>just stumbled upon an (IMHO) interesting example for trusted service to service</div><div>communication with JWT.</div><div><div><br>Microservices with Spring Boot and Java JSON Web Tokens (JJWT)</div><div><a href="https://www.youtube.com/watch?v=saiwZzE5IYg" target="_blank">https://www.youtube.com/watch?<wbr>v=saiwZzE5IYg</a></div></div><div><br></div><div>They use the JJWT (<a href="https://github.com/jwtk/jjwt" target="_blank">https://github.com/jwtk/jjwt</a>) library and and demonstrate how to use </div><div>the kid (Key ID) claim of JWT.</div><div>In order to establish trust between two services, public keys are exchanged to verify </div><div>each others JWT token signatures.</div><div>So instead of using a shared public key (e.g. Realm public key in Keycloak) they have a public key per service.</div><div><br></div><div>I wonder how this would look like with Keycloak.</div><div><br></div><div>Cheers,</div><div>Thomas</div></div>
<br>______________________________<wbr>_________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-dev</a><br></blockquote></div><br></div>