<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 11 November 2015 at 15:27, Tomas Groth Christensen <span dir="ltr"><<a href="mailto:tgc@dma.dk" target="_blank">tgc@dma.dk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
I have a question about how to use OpenId Connect and KeyCloak and hope that someone here will be able to help.<br>
I'm part of a project where federated login will be used. We are planning to use Keycloak as Identity Broker and multiple Identity Providers will be set up, some Identity Providers will be Keycloak instances, others not. For now the assumption is that all the Identity Providers will support OpenId Connect.<br>
<br>
One of the use cases we need to support is authentication of applications for communication to webservices (machine to machine communication), but it is causing us some trouble.<br>
The webservices will be created as clients in the Keycloak Identity Broker. But how do we authenticate the applications?<br>
The applications will not be browser based, so using the webinterface for authentication is not possible. There exists some guides (including this Keycloak blog post: <a href="http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html" rel="noreferrer" target="_blank">http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html</a>) that describes how this can be done when using Keycloak directly as Identity Provider, but I haven't been able to find any solutions to how to make it work when there is an Identity Broker involved.<br>
<br>
Reading the Keycloak documentation I couldn't help notice the big fat warning in the chapter about Direct Access Grant (<a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html" rel="noreferrer" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html</a>) which discourages bypassing the webinterface. This leads me to think that this kind of federated authentication without a browser is not supported by OpenId Connect, or am I missing something?<br></blockquote><div><br></div><div>Firstly identity brokering is not part of OpenID Connect, it's a feature provided by Keycloak.</div><div><br></div><div>Direct access grants is for users not clients. We recommend using the web based flows for users. Otherwise you don't get SSO and a bunch of other features provided by Keycloak. It's also less secure as you are exposing passwords directly to applications.</div><div><br></div><div>For clients (service accounts) on the other hand the client credential grants is used, which is a different flow. It's not part of OpenID Connect, but only OAuth 2.0.</div><div><br></div><div>Neither of the above flows have support for identity brokering in Keycloak at the moment. We could potentially add support to use those flows and provide a token from a brokered IdP instead of credentials. It should work relatively well for user based flow, but I'm less sure about the client credentials grants flow as it assumes there's a client in Keycloak (with a linked user account) so this would be considerably more complex to support.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
I've had a look at offline tokens, but to generate them, manual browser based authentication is still needed, at least as far as I can see...<br>
<br>
I hope someone on the list has an idea for a smart workaround :)<br>
<br>
Best regards,<br>
Tomas<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote></div><br></div></div>