[keycloak-user] Questions about keycloak

Marek Posolda mposolda at redhat.com
Fri Dec 12 04:43:56 EST 2014 

On 11.12.2014 18:07, Ruben Lopez wrote:
> I have a couple more questions.
>
> 1) Will you implement the features requested in KEYCLOAK-402 and 
> KEYCLOAK-405? If so, when?
Hard to say exactly, but looks that it will be quite soon as it is 
requirement from more people and potential customers . Hopefully in 
terms of weeks/months, but hard to promise exact date... I think it 
would require enhance our existing password policies, but those would be 
a bit harder to add than current simple policies as it will also require 
to store some info in database (like password expiration time and older 
passwords)
> 2) Are there any plans to support Integrated Windows Authentication?
You mean login to KC when user is already logged in windows domain? Yes, 
we have plan for add Kerberos/spnego soon and I think that it should 
solve windows domain authentication too. Hopefully around January.

Marek
>
> Thanks :)
>
> 2014-11-28 5:04 GMT-03:00 Stian Thorgersen <stian at redhat.com 
> <mailto:stian at redhat.com>>:
>
>
>
>     ----- Original Message -----
>     > From: "Ruben Lopez" <rubenlop88 at gmail.com
>     <mailto:rubenlop88 at gmail.com>>
>     > To: "Marek Posolda" <mposolda at redhat.com
>     <mailto:mposolda at redhat.com>>
>     > Cc: keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     > Sent: Thursday, 27 November, 2014 5:37:45 PM
>     > Subject: Re: [keycloak-user] Questions about keycloak
>     >
>     > Hi Marek,
>     >
>     > 2014-11-27 12:38 GMT-03:00 Marek Posolda < mposolda at redhat.com
>     <mailto:mposolda at redhat.com> > :
>     >
>     >
>     >
>     >
>     >
>     > 1 - Is there any way to obtain an access token for an OAuth
>     Client via Client
>     > Credentials[1]?
>     > You mean something like Service account like this from OAuth2 specs
>     > http://tools.ietf.org/html/rfc6749#page-40 ? We don't have that
>     yet, but
>     > there are plans to support it afaik.
>     >
>     >
>     >
>     >
>     > Yes, I was talking about secction 4.4 Client Credentials Grant.
>     Any idea
>     > about when it will be implemented?
>
>     I can't give you and exact date, but it's becoming more and more
>     of a priority so should be within a few months. We also plan to
>     add cert based authentication for clients.
>
>     In the mean-time you can work-around this issue by creating a user
>     on behalf of the client and use Resource Owner Password
>     Credentials Grant (section #4.3). Look at
>     'examples/preconfigured-demo/admin-access' in the download for an
>     example.
>
>     >
>     >
>     >
>     >
>     >
>     >
>     > 2 - If we make a request to an Application (Resource Server)
>     with an access
>     > token and this Application needs to talk to another protected
>     Application to
>     > form the response to the client, how does the first Application
>     > authenticates to the second Application? Does Keycloak
>     implements something
>     > like Chain Grant Type Profile[2]?
>     > yes, that is doable. We have an example where we have frontend
>     application
>     > like 'customer-portal', which is able to retrieve accessToken
>     from keycloak
>     > like here:
>     >
>     https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48
>     > and then use this accessToken to send request to backend application
>     > 'database-service' in Authorization header
>     >
>     https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L54
>     > . Database-service is then able to authenticate the token.
>     >
>     > Currently our database-service is directly serving requests and
>     send back
>     > data, but it shouldn't be a problem to add another application
>     to the chain,
>     > so that database-service will send the token again to another
>     app like
>     > 'real-database-service', which will return data and those data
>     will be sent
>     > back to the original frontent requestor (customer-portal). Is it
>     something
>     > what you meant?
>     >
>     > Thats exactly what I meant. I will take a look at the example.
>     >
>     > Thank you very much.
>     >
>     >
>     >
>     >
>     >
>     > Marek
>     >
>     >
>     >
>     >
>     > Thanks in advance.
>     >
>     >
>     > _______________________________________________
>     > keycloak-user mailing list keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>     >
>     >
>     >
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141212/817a236c/attachment-0001.html

More information about the keycloak-user mailing list