<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">If you are interested in just Keycloak
1.0 server running in cluster and not secured applications
themselves, then just those 2 things are required:<br>
1) Use 'jpa' or 'mongo' as userSession provider in
keycloak-server.json and use shared database among all cluster
nodes. By default keycloak is using 'mem' provider, which means
that User sessions are stored in memory of particular keycloak
server. This performs well, but is not cluster aware.<br>
2) Disable both realm and user cache in admin console, as caches
are also stored just in local memory.<br>
<br>
Both (1) and (2) should ensure that your keycloak server will be
cluster-safe, but they are quite bad for performance. From
1.1.0.Beta1 we have infinispan provider for user sessions, realm
caches and user caches. This ensures both cluster-safety and good
performance.<br>
<br>
Marek<br>
<br>
On 16.12.2014 17:18, Ruben Lopez wrote:<br>
</div>
<blockquote
cite="mid:CA+L_nNgkTq9YxtJHcPE1ff7bJTVsMY1sF0vR0M3sY5-2FUfYQw@mail.gmail.com"
type="cite">
<div>
<div>Thanks for the quick answers!</div>
<div><br>
</div>
<div>I couldn't find documentation about how to install Keycloak
1.0 in a clustered environment. I know that Keycloak 1.1 does
have documentation about this but it is still in beta and the
company I work for needs to know if there is a similar
mechanism that can be implemented with Keycloak 1.0.</div>
<div><br>
</div>
<div class="gmail_quote">El Fri Dec 12 2014 at 6:44:00 AM, Marek
Posolda <<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>>
escribió:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>On 11.12.2014 18:07, Ruben Lopez wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I have a couple more questions.
<div><br>
<div>
<div>1) Will you implement the features requested
in KEYCLOAK-402 and KEYCLOAK-405? If so, when?</div>
</div>
</div>
</div>
</blockquote>
</div>
<div bgcolor="#FFFFFF" text="#000000"> Hard to say exactly,
but looks that it will be quite soon as it is requirement
from more people and potential customers . Hopefully in
terms of weeks/months, but hard to promise exact date... I
think it would require enhance our existing password
policies, but those would be a bit harder to add than
current simple policies as it will also require to store
some info in database (like password expiration time and
older passwords)</div>
<div bgcolor="#FFFFFF" text="#000000"><br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>2) Are there any plans to support Integrated
Windows Authentication?</div>
</div>
</div>
</div>
</blockquote>
</div>
<div bgcolor="#FFFFFF" text="#000000"> You mean login to KC
when user is already logged in windows domain? Yes, we
have plan for add Kerberos/spnego soon and I think that it
should solve windows domain authentication too. Hopefully
around January.</div>
<div bgcolor="#FFFFFF" text="#000000"><br>
<br>
Marek</div>
<div bgcolor="#FFFFFF" text="#000000"><br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div><br>
</div>
<div>Thanks :)</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-11-28 5:04
GMT-03:00 Stian Thorgersen <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:stian@redhat.com"
target="_blank">stian@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span><br>
<br>
----- Original Message -----<br>
> From: "Ruben Lopez" <<a
moz-do-not-send="true"
href="mailto:rubenlop88@gmail.com"
target="_blank">rubenlop88@gmail.com</a>><br>
> To: "Marek Posolda" <<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
target="_blank">mposolda@redhat.com</a>><br>
> Cc: <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
> Sent: Thursday, 27 November, 2014
5:37:45 PM<br>
> Subject: Re: [keycloak-user]
Questions about keycloak<br>
><br>
> Hi Marek,<br>
><br>
> 2014-11-27 12:38 GMT-03:00 Marek
Posolda < <a moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
target="_blank">mposolda@redhat.com</a>
> :<br>
><br>
><br>
><br>
><br>
><br>
> 1 - Is there any way to obtain an
access token for an OAuth Client via
Client<br>
> Credentials[1]?<br>
> You mean something like Service
account like this from OAuth2 specs<br>
> <a moz-do-not-send="true"
href="http://tools.ietf.org/html/rfc6749#page-40"
target="_blank">http://tools.ietf.org/html/rfc6749#page-40</a>
? We don't have that yet, but<br>
> there are plans to support it afaik.<br>
><br>
><br>
><br>
><br>
> Yes, I was talking about secction 4.4
Client Credentials Grant. Any idea<br>
> about when it will be implemented?<br>
<br>
</span>I can't give you and exact date, but
it's becoming more and more of a priority so
should be within a few months. We also plan
to add cert based authentication for
clients.<br>
<br>
In the mean-time you can work-around this
issue by creating a user on behalf of the
client and use Resource Owner Password
Credentials Grant (section #4.3). Look at
'examples/preconfigured-demo/admin-access'
in the download for an example.<br>
<div>
<div><br>
><br>
><br>
><br>
><br>
><br>
><br>
> 2 - If we make a request to an
Application (Resource Server) with an
access<br>
> token and this Application needs to
talk to another protected Application to<br>
> form the response to the client,
how does the first Application<br>
> authenticates to the second
Application? Does Keycloak implements
something<br>
> like Chain Grant Type Profile[2]?<br>
> yes, that is doable. We have an
example where we have frontend
application<br>
> like 'customer-portal', which is
able to retrieve accessToken from
keycloak<br>
> like here:<br>
> <a moz-do-not-send="true"
href="https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48"
target="_blank">https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48</a><br>
> and then use this accessToken to
send request to backend application<br>
> 'database-service' in Authorization
header<br>
> <a moz-do-not-send="true"
href="https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L54"
target="_blank">https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L54</a><br>
> . Database-service is then able to
authenticate the token.<br>
><br>
> Currently our database-service is
directly serving requests and send back<br>
> data, but it shouldn't be a problem
to add another application to the chain,<br>
> so that database-service will send
the token again to another app like<br>
> 'real-database-service', which will
return data and those data will be sent<br>
> back to the original frontent
requestor (customer-portal). Is it
something<br>
> what you meant?<br>
><br>
> Thats exactly what I meant. I will
take a look at the example.<br>
><br>
> Thank you very much.<br>
><br>
><br>
><br>
><br>
><br>
> Marek<br>
><br>
><br>
><br>
><br>
> Thanks in advance.<br>
><br>
><br>
>
_______________________________________________<br>
> keycloak-user mailing list <a
moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
> <a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
><br>
><br>
>
_______________________________________________<br>
> keycloak-user mailing list<br>
> <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
> <a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
</body>
</html>