[keycloak-user] Native applications and federated login
Stian Thorgersen
sthorger at redhat.com
Wed Nov 11 09:42:05 EST 2015
On 11 November 2015 at 15:27, Tomas Groth Christensen <tgc at dma.dk> wrote:
> Hi,
>
> I have a question about how to use OpenId Connect and KeyCloak and hope
> that someone here will be able to help.
> I'm part of a project where federated login will be used. We are planning
> to use Keycloak as Identity Broker and multiple Identity Providers will be
> set up, some Identity Providers will be Keycloak instances, others not. For
> now the assumption is that all the Identity Providers will support OpenId
> Connect.
>
> One of the use cases we need to support is authentication of applications
> for communication to webservices (machine to machine communication), but it
> is causing us some trouble.
> The webservices will be created as clients in the Keycloak Identity
> Broker. But how do we authenticate the applications?
> The applications will not be browser based, so using the webinterface for
> authentication is not possible. There exists some guides (including this
> Keycloak blog post:
> http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html)
> that describes how this can be done when using Keycloak directly as
> Identity Provider, but I haven't been able to find any solutions to how to
> make it work when there is an Identity Broker involved.
>
> Reading the Keycloak documentation I couldn't help notice the big fat
> warning in the chapter about Direct Access Grant (
> http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html)
> which discourages bypassing the webinterface. This leads me to think that
> this kind of federated authentication without a browser is not supported by
> OpenId Connect, or am I missing something?
>
Firstly identity brokering is not part of OpenID Connect, it's a feature
provided by Keycloak.
Direct access grants is for users not clients. We recommend using the web
based flows for users. Otherwise you don't get SSO and a bunch of other
features provided by Keycloak. It's also less secure as you are exposing
passwords directly to applications.
For clients (service accounts) on the other hand the client credential
grants is used, which is a different flow. It's not part of OpenID Connect,
but only OAuth 2.0.
Neither of the above flows have support for identity brokering in Keycloak
at the moment. We could potentially add support to use those flows and
provide a token from a brokered IdP instead of credentials. It should work
relatively well for user based flow, but I'm less sure about the client
credentials grants flow as it assumes there's a client in Keycloak (with a
linked user account) so this would be considerably more complex to support.
>
> I've had a look at offline tokens, but to generate them, manual browser
> based authentication is still needed, at least as far as I can see...
>
> I hope someone on the list has an idea for a smart workaround :)
>
> Best regards,
> Tomas
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151111/18c3bc5e/attachment.html
More information about the keycloak-user
mailing list