<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:13px"><div id="yui_3_16_0_1_1439947431137_8023"><span id="yui_3_16_0_1_1439947431137_9414">Marek - Whatever you thought of implementing makes sense and that will probably meet our needs. For it to work, I am assuming that we will have to do a bulk registration of all our client applications, using the kerberos principal (probably without the realm info, something like "abcd" instead of "abcd@realm.com") as the client_id. Another assumption is that the normal client authentication (using client_id and client secret ) will also work. Is my understanding correct? If so, is it something that you can provide in the near future (1-2 months?)</span></div><div id="yui_3_16_0_1_1439947431137_8023"><span><br></span></div><div id="yui_3_16_0_1_1439947431137_8023" dir="ltr"><span id="yui_3_16_0_1_1439947431137_12102">On a different note, I had a quick look at your email about Client authentication. Even though I didn't really digest it, I think whatever you are planning to implement (clients storing their private key with them and registering their public key with Keycloak) takes you one step (actually a giant step) closer to making keycloak compliant with FIDO. I can't wait to see these features which will make keycloak a great product.</span></div><div id="yui_3_16_0_1_1439947431137_8023" dir="ltr"><span><br></span></div><div id="yui_3_16_0_1_1439947431137_8023" dir="ltr"><span>Great job everyone :-)</span></div><div id="yui_3_16_0_1_1439947431137_8023"><br></div><div id="yui_3_16_0_1_1439947431137_8023"><span id="yui_3_16_0_1_1439947431137_8112">Stian - All the options you suggested sound great and we can look into them if the above feature suggested by Marek cannot be provided in the near future.</span></div><div id="yui_3_16_0_1_1439947431137_8023"><span><br></span></div><div id="yui_3_16_0_1_1439947431137_8023"><span id="yui_3_16_0_1_1439947431137_13006">Thanks once again,</span></div><div id="yui_3_16_0_1_1439947431137_8023"><span><br></span></div><div id="yui_3_16_0_1_1439947431137_8023"><span>Regards,</span></div><div id="yui_3_16_0_1_1439947431137_8023"><span>Raghu</span></div><br> <div style="font-family: times new roman, new york, times, serif; font-size: 13px;" id="yui_3_16_0_1_1439947431137_8197"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_1_1439947431137_8196"> <div dir="ltr" id="yui_3_16_0_1_1439947431137_8195"> <hr size="1" id="yui_3_16_0_1_1439947431137_8750"> <font size="2" face="Arial" id="yui_3_16_0_1_1439947431137_8336"> <b><span style="font-weight:bold;">From:</span></b> Marek Posolda <mposolda@redhat.com><br> <b><span style="font-weight: bold;">To:</span></b> Stian Thorgersen <stian@redhat.com>; Raghu Prabhala <prabhalar@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b> Keycloak-user <keycloak-user@lists.jboss.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Tuesday, August 18, 2015 6:08 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [keycloak-user] Client Credentials grant Question<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_1_1439947431137_8337"><br>Right now pluggable client authentication is already available in <br clear="none">master, so there is already possibility to use different mechanism for <br clear="none">authenticating clients than just default client_id + client_secret .<br clear="none"><br clear="none">I was thinking about adding support for authenticating with kerberos <br clear="none">keytab in a way, that clients would need to be already registered in <br clear="none">keycloak. Once client is authenticated through kerberos, clientId is <br clear="none">read from gssContext (gssContext.getSrcName() ) and corresponding client <br clear="none">is found in Keycloak, so all other info including roles in the access <br clear="none">token will be filled from the configured "Service Account roles" for the <br clear="none">particular client.<br clear="none"><br clear="none">Alternatively, in next version you can add your own ClientAuthenticator <br clear="none">implementation and implement authentication with kerberos keytab however <br clear="none">you want. For example you would just register 1 Client in keycloak admin <br clear="none">console. Then in your authenticator, when the client is successfully <br clear="none">authenticated with Kerberos, you will always use this registered <br clear="none">keycloak client but you will reuse the gssContext.getSrcName() to know <br clear="none">which actual client from your 1000 clients was used. Then you may also <br clear="none">need some custom protocol mapper implementation, which will allow you to <br clear="none">map the roles into accessToken based on which of your clients was used etc.<br clear="none"><br clear="none">Marek<br clear="none"><br clear="none">Dne 18.8.2015 v 08:31 Stian Thorgersen napsal(a):<br clear="none">> We would like to add support for authenticating with Kerberos keytab to clients, but not sure when we can do it.<br clear="none">><br clear="none">> Only options to avoid manually registering clients with Keycloak at the moment would be to extend the realm store to make it look in an external source as well (we warned this SPI may change significantly in future), or you could use the rest admin api to do batch imports (you could also schedule this daily/weekly or something). Beyond we are planning to allow custom authentication flows for clients, but we have to much on our plate at the moment to also enable external sources for client config.<br clear="none">><br clear="none">> ----- Original Message -----<br clear="none">>> From: "Raghu Prabhala" <<a shape="rect" ymailto="mailto:prabhalar@yahoo.com" href="mailto:prabhalar@yahoo.com">prabhalar@yahoo.com</a>><br clear="none">>> To: "Keycloak-user" <<a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br clear="none">>> Sent: Tuesday, 18 August, 2015 5:20:12 AM<br clear="none">>> Subject: [keycloak-user] Client Credentials grant Question<br clear="none">>><br clear="none">>> Bill/Stian,<br clear="none">>><br clear="none">>> Is it possible to use an external system to authenticate a client for the<br clear="none">>> client credentials grant option? In our organization, we have a large number<br clear="none">>> of applications that interact with each other using kerberos accounts.<br clear="none">>> Today, a client application 1 will use its kerberos id and keytab to<br clear="none">>> authenticate against MIT kerberos and get a custom token which is passed to<br clear="none">>> client application 2 which then validates that token and grants access to<br clear="none">>> the first application. Now if we want to use Keycloak's client credentials<br clear="none">>> grant, the client application 1 is expected to have its client_id and secret<br clear="none">>> registered with keycloak. It is not possible for all our existing<br clear="none">>> applications to discard the current Kerberos account and go with this new<br clear="none">>> client_id and secret required by Keycloak. So we are wondering, if there is<br clear="none">>> any way, we can avoid registering a client application with keycloak and use<br clear="none">>> our existing Kerberos infrastructure to do the client authentication and<br clear="none">>> then provide the access token based on the client credentials grant option.<br clear="none">>> If that is not possible, any pointers on how we can use Keycloak without<br clear="none">>> requiring all our thousands of apps to register with keycloak?<br clear="none">>><br clear="none">>> Thanks in advance,<br clear="none">>> Raghu<br clear="none">>><br clear="none">>> _______________________________________________<br clear="none">>> keycloak-user mailing list<br clear="none">>> <a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br clear="none">>> <a shape="rect" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><div class="qtdSeparateBR"><br><br></div><div class="yqt3174762104" id="yqtfd71421"><br clear="none">> _______________________________________________<br clear="none">> keycloak-user mailing list<br clear="none">> <a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br clear="none">> <a shape="rect" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br clear="none"><br clear="none"></div><br><br></div> </div> </div> </div></body></html>