[keycloak-user] OAuth Tokens and IoT Devices
Federico Michele Facca
federico.facca at martel-innovate.com
Wed Sep 19 10:14:06 EDT 2018
what about taking a similar approach to "access_offline" role?
having a role which is "infinite_token" that if granted and used as scope
in a request grants you a token that last until not revoked?
federico
On 19 September 2018 at 14:26, Pedro Igor Silva <psilva at redhat.com> wrote:
> Hi,
>
> Yeah, true. Although there are some discussions happening about overriding
> token lifetime in clients. But yeah, right now any change at this regard
> will affect all clients in your realm ...
>
> On Wed, Sep 19, 2018 at 9:20 AM Federico Michele Facca <
> federico.facca at martel-innovate.com> wrote:
>
>> Hi Pedro :)
>> My understanding (but I may be wrong) is that in this way I will affect
>> the whole realm not just a client. Correct?
>>
>> Cheers,
>> Federico
>>
>> On 19 September 2018 at 14:12, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Or you can use long-lived tokens (e.g: 1 week, 1 month) and reduce the
>>> frequency your devices refresh tokens ...
>>>
>>> On Wed, Sep 19, 2018 at 7:14 AM Federico Michele Facca <
>>> federico.facca at martel-innovate.com> wrote:
>>>
>>>> Hi,
>>>> what is the current best solution in Keycloak to support a scenario
>>>> where
>>>> devices needs to authenticate using OAuth against an API?
>>>>
>>>> At the time being, to simplify we use offline-refresh tokens and every
>>>> time, it the token is expired, generated out of that a new token.
>>>>
>>>> In term of performance the trick we use is to cache the access token and
>>>> refresh it when needed with a background process.
>>>> This process, unfortunately, for some tiny computational devices can be
>>>> quite demanding and slow down the most important
>>>> goal of sending data to the API at given intervarls.
>>>>
>>>> A better solution could be having a way to create never expiring access
>>>> tokens (or with a manually defined expired date), we understand
>>>> that may introduce security issues, but it would be only for specific
>>>> scenarios (and I doubt it will introduce more issues that the offline
>>>> token).
>>>>
>>>> Feelings? Suggestions?
>>>>
>>>> Cheers,
>>>> Federico
>>>>
>>>> --
>>>> *Dr. FEDERICO MICHELE FACCA*
>>>> *Head of Martel Lab*
>>>> 0041 78 807 58 38
>>>> *Martel Innovate* <https://www.martel-innovate.com/> - Professional
>>>> support for innovation projects
>>>> Click to download our innovators' insights!
>>>> <https://www.martel-innovate.com/premium-content/>
>>>> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>
>>
>> --
>> *Dr. FEDERICO MICHELE FACCA*
>> *Head of Martel Lab*
>> 0041 78 807 58 38
>> *Martel Innovate* <https://www.martel-innovate.com/> - Professional
>> support for innovation projects
>> Click to download our innovators' insights!
>> <https://www.martel-innovate.com/premium-content/>
>> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>>
>
--
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/> - Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>
More information about the keycloak-user
mailing list