<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11.12.2014 18:07, Ruben Lopez wrote:<br>
</div>
<blockquote
cite="mid:CA+L_nNh_C3c_fw_+jP8vhyVsMVt50AEYWDUVfdW2XZoytDXg_w@mail.gmail.com"
type="cite">
<div dir="ltr">I have a couple more questions.
<div><br>
<div>
<div>1) Will you implement the features requested in
KEYCLOAK-402 and KEYCLOAK-405? If so, when?</div>
</div>
</div>
</div>
</blockquote>
Hard to say exactly, but looks that it will be quite soon as it is
requirement from more people and potential customers . Hopefully in
terms of weeks/months, but hard to promise exact date... I think it
would require enhance our existing password policies, but those
would be a bit harder to add than current simple policies as it will
also require to store some info in database (like password
expiration time and older passwords)<br>
<blockquote
cite="mid:CA+L_nNh_C3c_fw_+jP8vhyVsMVt50AEYWDUVfdW2XZoytDXg_w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>2) Are there any plans to support Integrated Windows
Authentication?</div>
</div>
</div>
</div>
</blockquote>
You mean login to KC when user is already logged in windows domain?
Yes, we have plan for add Kerberos/spnego soon and I think that it
should solve windows domain authentication too. Hopefully around
January.<br>
<br>
Marek<br>
<blockquote
cite="mid:CA+L_nNh_C3c_fw_+jP8vhyVsMVt50AEYWDUVfdW2XZoytDXg_w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div><br>
</div>
<div>Thanks :)</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-11-28 5:04 GMT-03:00 Stian
Thorgersen <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span
class=""><br>
<br>
----- Original Message -----<br>
> From: "Ruben Lopez" <<a
moz-do-not-send="true"
href="mailto:rubenlop88@gmail.com">rubenlop88@gmail.com</a>><br>
> To: "Marek Posolda" <<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>><br>
> Cc: <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> Sent: Thursday, 27 November, 2014 5:37:45 PM<br>
> Subject: Re: [keycloak-user] Questions about
keycloak<br>
><br>
> Hi Marek,<br>
><br>
> 2014-11-27 12:38 GMT-03:00 Marek Posolda < <a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>
> :<br>
><br>
><br>
><br>
><br>
><br>
> 1 - Is there any way to obtain an access token
for an OAuth Client via Client<br>
> Credentials[1]?<br>
> You mean something like Service account like
this from OAuth2 specs<br>
> <a moz-do-not-send="true"
href="http://tools.ietf.org/html/rfc6749#page-40"
target="_blank">http://tools.ietf.org/html/rfc6749#page-40</a>
? We don't have that yet, but<br>
> there are plans to support it afaik.<br>
><br>
><br>
><br>
><br>
> Yes, I was talking about secction 4.4 Client
Credentials Grant. Any idea<br>
> about when it will be implemented?<br>
<br>
</span>I can't give you and exact date, but it's
becoming more and more of a priority so should be
within a few months. We also plan to add cert based
authentication for clients.<br>
<br>
In the mean-time you can work-around this issue by
creating a user on behalf of the client and use
Resource Owner Password Credentials Grant (section
#4.3). Look at
'examples/preconfigured-demo/admin-access' in the
download for an example.<br>
<div class="">
<div class="h5"><br>
><br>
><br>
><br>
><br>
><br>
><br>
> 2 - If we make a request to an Application
(Resource Server) with an access<br>
> token and this Application needs to talk to
another protected Application to<br>
> form the response to the client, how does the
first Application<br>
> authenticates to the second Application? Does
Keycloak implements something<br>
> like Chain Grant Type Profile[2]?<br>
> yes, that is doable. We have an example where
we have frontend application<br>
> like 'customer-portal', which is able to
retrieve accessToken from keycloak<br>
> like here:<br>
> <a moz-do-not-send="true"
href="https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48"
target="_blank">https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48</a><br>
> and then use this accessToken to send request
to backend application<br>
> 'database-service' in Authorization header<br>
> <a moz-do-not-send="true"
href="https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L54"
target="_blank">https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L54</a><br>
> . Database-service is then able to
authenticate the token.<br>
><br>
> Currently our database-service is directly
serving requests and send back<br>
> data, but it shouldn't be a problem to add
another application to the chain,<br>
> so that database-service will send the token
again to another app like<br>
> 'real-database-service', which will return
data and those data will be sent<br>
> back to the original frontent requestor
(customer-portal). Is it something<br>
> what you meant?<br>
><br>
> Thats exactly what I meant. I will take a
look at the example.<br>
><br>
> Thank you very much.<br>
><br>
><br>
><br>
><br>
><br>
> Marek<br>
><br>
><br>
><br>
><br>
> Thanks in advance.<br>
><br>
><br>
>
_______________________________________________<br>
> keycloak-user mailing list <a
moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
><br>
><br>
>
_______________________________________________<br>
> keycloak-user mailing list<br>
> <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>