[keycloak-user] Announce - Secret Store

Bill Burke bburke at redhat.com
Wed Jan 20 12:50:51 EST 2016 


On 1/20/2016 11:44 AM, Juraci Paixão Kröhling wrote:
> On 20.01.2016 17:12, Bill Burke wrote:
>> What you are describing MAKES ZERO SENSE.  From your document:
>>
>> "A token is created when an user reaches the path
>> |/secret-store/v1/tokens/create| via GET (or passing the username and
>> password as Basic authentication via POST) and stored into a Cassandra
>> data store:"
>>
>> You are doing EXACTLY what the direct grant REST api does except you are
>> using basic auth.   I still don't see the purpose of this service.
> Those are performed in different steps. The user creates this token via
> an UI (or CLI, if needed), then use this key/secret as the credentials
> on the client.
>
> The client has no knowledge about Keycloak, OAuth, or about any meta
> data that was embedded into this opaque token. All it cares is that it's
> going to call the end service using basic auth.
>
> The secret store is *not* for every application: it's targeted to
> clients where OAuth handling is costly, undesirable or even impossible
> (like legacy applications). So, instead of entering the user's own
> credentials there, the key/secret are used instead.
>
> Our "metrics collector agent" is the main target for this: the knowledge
> about auth doesn't belong there. All it needs to know is an "user" and
> "password", which are the "key" and "secret" for the token. Where
> Keycloak is, how to create an access token from an offline token, how
> long to keep an access token, and so on is made at the secret store, as
> we need to save every processing cycle possible, to not badly influence
> a server that is being monitored (and possibly, already in a bad shape).
>
> Of course, if you can live with your password being stored in plaintext
> on the clients, you don't need the secret store. But honestly, that
> seems ridiculous.
Thanks for the explanation and sorry if I sounded rude.  We have people 
suggesting crazy redundant shit all the time and I thought this just 
might have been yet another case of this.  Makes sense now.  Something 
interesting that we should add to Keycloak as an optional service 
sometime in the future.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list