[keycloak-user] Any limit on number of clients?

Stian Thorgersen sthorger at redhat.com
Fri Jan 15 10:37:10 EST 2016


Depends on what a device is. If it's a device that is controlled by a human
that could authenticate as themselves then use a user account. If it's a
device that is purely non-human than use a service account.

On 15 January 2016 at 16:05, Aikeaguinea <aikeaguinea at xsmail.com> wrote:

> I realize these aren't clients in the sense Keycloak intends, but in this
> case Keycloak provides all the functionality I need without me having to
> rebuild it myself -- particularly with respect to generating and managing
> certificates. Since the devices are all under our control, the concept of a
> service account seems to fit even if the Keycloak concept of "client"
> really is intended for something else.
>
> Will using Keycloak clients for this purpose get us in trouble somehow?
>
>
> On Wed, Jan 13, 2016, at 09:46 AM, Bill Burke wrote:
>
> I think you'd be better served having public clients and developing cert
> auth for users via our auth spi, as these are users aren't they?  They
> aren't clients in the sense of what Keycloak thinks of as a client.  A
> client in keycloak is really a service or web app.
>
> On 1/13/2016 2:43 AM, Stian Thorgersen wrote:
>
> As Bill said we haven't tested with loads of clients, but we need to be
> able to scale to hundreds or probably thousand clients at least. So if you
> run into issues with it let us know and we'll look into it.
>
> On 13 January 2016 at 01:18, Aikeaguinea <aikeaguinea at xsmail.com> wrote:
>
> I'd say we're talking on the order of a hundred to start with; this
> could ramp up to multiples of that within a year or two. I imagine the
> thing to do would be for us to do some stress testing of our own.
>
> On Tue, Jan 12, 2016, at 06:57 PM, Bill Burke wrote:
> > How many devices you talking about?  I think it may become an issue as
> > we haven't really stressed and benched with tons (hundreds/thousands) of
> > clients.
> >
> > On 1/12/2016 6:08 PM, Aikeaguinea wrote:
> > > We have a number of devices that need to access APIs; for various
> > > reasons we need to use client certificates for this purpose.
> > >
> > > I have noticed that Keycloak will allow service accounts to
> authenticate
> > > using client certificates and that these certificates can be generated
> > > within Keycloak. This looks like it fits our needs well -- when we set
> > > up a new device we would need to set up a new client and service
> account
> > > for it in Keycloak. I've verified through testing that we can make this
> > > work.
> > >
> > > Ultimately we may have to manage a fairly large number of devices, say
> > > in the hundreds. Is there any reason that Keycloak would limit us in
> the
> > > number of clients we could create and manage in this way?
> > >
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> --
>   Aikeaguinea
> aikeaguinea at xsmail.com
>
> --
> http://www.fastmail.com - Or how I learned to stop worrying and
>                           love email again
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hathttp://bill.burkecentral.com
>
> *_______________________________________________*
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> --
>   Aikeaguinea
>   aikeaguinea at xsmail.com
>
>
>
> -- http://www.fastmail.com - The way an email service should be
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/c07c528f/attachment-0001.html 


More information about the keycloak-user mailing list