[keycloak-user] Recommendations for protecting REST service with bearer token and basic auth
Juraci Paixão Kröhling
juraci at kroehling.de
Fri Nov 21 12:15:24 EST 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 11/21/2014 05:55 PM, Bill Burke wrote:
> Why does a "service account" have to be anything special? Why
> can't it be a regular user?
I don't know much about the internals and the implementation of the
user model in KC, but from where I'm standing, it can very well be.
So, to recap, this is how the flow for an external client (bash
script) would be:
- - user creates an oauth client with refresh token policy set to never
- - bash reads the keycloak.json and refresh token from somewhere
- - bash uses the refresh token to obtain an access token from KC server
- - bash uses the access token to make the request to the backend
On the first run:
- - bash (or another CLI) builds an URL
- - user opens this URL, logs in and gets a code from KC server
- - user adds this code to the bash/CLI
- - bash/CLI exchanges this code for a refresh token, persisting it
It seems that the only change required then is to move the token
policy to the apps/oauth clients. If so, I'll then start scratching a
proposal for this change. And perhaps a shell/native (Linux) client
that would handle the boiler plate above.
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
More information about the keycloak-user