[keycloak-user] Application to application: could Keycloak implement this?

Pedro Igor Silva psilva at redhat.com
Wed Jul 12 09:20:32 EDT 2017 

FYI, in Wildfly 11 and Elytron identity propagation will be supported OOTB.
This is one of the main features brought to you by Elytron.

Your client should be able to authenticate with a remote server using a
OAuth2 Access Token (remoting + SASL OAUTHBEARER), which in turn can be
automatically propagated to other servers in the topology. In fact, you can
even propagate credentials if using other authentication mechanism such as
PLAIN or Kerberos.

On Wed, Jul 12, 2017 at 4:10 AM, Marek Posolda <mposolda at redhat.com> wrote:

> Hi,
>
> We have example in documentation for EJB propagation from web
> application where Keycloak. See
> https://keycloak.gitbooks.io/documentation/securing_apps/
> topics/oidc/java/jboss-adapter.html
> and especially the last paragraph "Security domain" .
>
> We have unofficial example I've written to propagate identity from fat
> client through remote EJB calls:
> https://github.com/mposolda/keycloak-remote-ejb
>
> Marek
>
> On 04/07/17 18:42, Tech wrote:
> > Dear experts,
> >
> > I want to bring you this use case to understand if you might be able to
> > support me.
> >
> > Our architecture is based in java, where we might have two kind of
> clients:
> >
> >    * Fat java clients
> >    * Browsers
> >
> > Application servers with:
> >
> >    * Web containers performing local and remote EJB calls + remote WS
> calls
> >    * EJB container performing local and remote EJB calls + remote WS
> calls
> >    * A remote EJB server performing local and remote EJB calls + remote
> >      WS calls
> >    * Ws implemeting SOAP or REST
> >    * Server SSO able to protect what described above
> >
> > The goal is to allow the clients (thin and fat) to authenticate on the
> > SSO server and to propagate the user identity on these requests:
> >
> >    * Fat client authenticated -> EJB secure -> WS secure
> >    * Browser authenticated -> Web container -> EJB secure -> WS secure
> >
> > The solution could use a secure token OAuth, OIDC or SAML.
> >
> > The token propagation should be based on standards JAAS and WS-Security.
> >
> > We saw that is possible to implement something similar in some SAML
> > Login Modules on JBoss Enterprise server, but we are not finding
> > anything equivalent in Keycloak.
> >
> > We cannot neither find, for example, not neither for a STS server, that
> > are the required elements to transform this kind of tokens.
> >
> >
> > Did anybody faced a similar experience?
> >
> > Thanks for your support!
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list