<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body><div>To my knowledge, if you want certificate-based authentication for users you'd have to write it yourself.</div>
<div> </div>
<div> </div>
<div>On Fri, Jan 15, 2016, at 11:08 AM, Thomas Darimont wrote:<br></div>
<blockquote type="cite"><div dir="ltr"><div>Quick question, do you only want to use clients because they support authentication via certificats?<br></div>
<div> </div>
<div>Isn't it possible to have certificate based authentication for users as well?<br></div>
<div> </div>
<div>Cheers,<br></div>
<div>Thomas<br></div>
</div>
<div><div> </div>
<div><div>2016-01-15 16:37 GMT+01:00 Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com">sthorger@redhat.com</a>></span>:<br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204, 204, 204);border-left-style:solid;padding-left:1ex;"><div dir="ltr">Depends on what a device is. If it's a device that is controlled by a human that could authenticate as themselves then use a user account. If it's a device that is purely non-human than use a service account.<br></div>
<div><div><div><div> </div>
<div><div>On 15 January 2016 at 16:05, Aikeaguinea <span dir="ltr"><<a href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a>></span> wrote:<br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204, 204, 204);border-left-style:solid;padding-left:1ex;"><div><u></u><br></div>
<div><div>I realize these aren't clients in the sense Keycloak intends, but in this case Keycloak provides all the functionality I need without me having to rebuild it myself -- particularly with respect to generating and managing certificates. Since the devices are all under our control, the concept of a service account seems to fit even if the Keycloak concept of "client" really is intended for something else.<br></div>
<div> </div>
<div>Will using Keycloak clients for this purpose get us in trouble somehow?<br></div>
<div><div><div> </div>
<div> </div>
<div>On Wed, Jan 13, 2016, at 09:46 AM, Bill Burke wrote:<br></div>
<blockquote type="cite"><div>I think you'd be better served having public clients and developing
cert auth for users via our auth spi, as these are users aren't
they? They aren't clients in the sense of what Keycloak thinks of
as a client. A client in keycloak is really a service or web app.<br></div>
<div> </div>
<div>On 1/13/2016 2:43 AM, Stian Thorgersen
wrote:<br></div>
<blockquote type="cite"><div dir="ltr">As Bill said we haven't tested with loads of
clients, but we need to be able to scale to hundreds or probably
thousand clients at least. So if you run into issues with it let
us know and we'll look into it.<br></div>
<div><div> </div>
<div><div>On 13 January 2016 at 01:18,
Aikeaguinea <span dir="ltr"><<a href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a>></span>
wrote:<br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204, 204, 204);border-left-style:solid;padding-left:1ex;"><div>I'd say
we're talking on the order of a hundred to start with; this<br></div>
<div>could ramp up to multiples of that within a year or two. I
imagine the<br></div>
<div>thing to do would be for us to do some stress testing of our
own.<br></div>
<div><div><div> </div>
<div>On Tue, Jan 12, 2016, at 06:57 PM, Bill Burke wrote:<br></div>
<div>> How many devices you talking about? I think it may
become an issue as<br></div>
<div>> we haven't really stressed and benched with tons
(hundreds/thousands) of<br></div>
<div>> clients.<br></div>
<div>><br></div>
<div>> On 1/12/2016 6:08 PM, Aikeaguinea wrote:<br></div>
<div>> > We have a number of devices that need to
access APIs; for various<br></div>
<div>> > reasons we need to use client certificates for
this purpose.<br></div>
<div>> ><br></div>
<div>> > I have noticed that Keycloak will allow
service accounts to authenticate<br></div>
<div>> > using client certificates and that these
certificates can be generated<br></div>
<div>> > within Keycloak. This looks like it fits our
needs well -- when we set<br></div>
<div>> > up a new device we would need to set up a new
client and service account<br></div>
<div>> > for it in Keycloak. I've verified through
testing that we can make this<br></div>
<div>> > work.<br></div>
<div>> ><br></div>
<div>> > Ultimately we may have to manage a fairly
large number of devices, say<br></div>
<div>> > in the hundreds. Is there any reason that
Keycloak would limit us in the<br></div>
<div>> > number of clients we could create and manage
in this way?<br></div>
<div>> ><br></div>
<div>><br></div>
<div>> --<br></div>
<div>> Bill Burke<br></div>
<div>> JBoss, a division of Red Hat<br></div>
<div>> <a href="http://bill.burkecentral.com">http://bill.burkecentral.com</a><br></div>
<div>><br></div>
<div>> _______________________________________________<br></div>
<div>> keycloak-user mailing list<br></div>
<div>> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br></div>
<div>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></div>
<div> </div>
<div> </div>
</div>
</div>
<div><span><span class="colour" style="color:rgb(136, 136, 136)">--<br>
Aikeaguinea<br> <a href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a><br> <br>
--<br> <a href="http://www.fastmail.com">http://www.fastmail.com</a>
- Or how I learned to stop worrying and<br>
love email again</span></span></div>
<div><div><div> </div>
<div>_______________________________________________<br></div>
<div>keycloak-user mailing list<br></div>
<div><a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br></div>
<div><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></div>
</div>
</div>
</blockquote></div>
<div> </div>
</div>
<div> </div>
<div> </div>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></pre></blockquote><div> </div>
<pre>--
Bill Burke
JBoss, a division of Red Hat
<a href="http://bill.burkecentral.com">http://bill.burkecentral.com</a><br></pre><div><u>_______________________________________________</u><br></div>
<div>keycloak-user mailing list<br></div>
<div><a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br></div>
<div><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></div>
</blockquote><div> </div>
<div><div>--<br></div>
<div> Aikeaguinea<br></div>
<div><a href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a><br></div>
<div> </div>
</div>
<div> </div>
</div>
</div>
<div> </div>
<pre><span><span class="colour" style="color:rgb(136, 136, 136)">--
<a href="http://www.fastmail.com">http://www.fastmail.com</a> - The way an email service should be
</span></span><br></pre><div> </div>
</div>
<div> </div>
<div>_______________________________________________<br></div>
<div>
keycloak-user mailing list<br></div>
<div> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br></div>
<div> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></div>
</blockquote></div>
<div> </div>
</div>
</div>
</div>
<div> </div>
<div>_______________________________________________<br></div>
<div>
keycloak-user mailing list<br></div>
<div> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br></div>
<div> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></div>
</blockquote></div>
</div>
</blockquote><div> </div>
<div id="sig3995191"><div class="signature">--<br></div>
<div class="signature"> Aikeaguinea<br></div>
<div class="signature"> aikeaguinea@xsmail.com<br></div>
<div class="signature"> </div>
</div>
<div> </div>
<pre>
--
http://www.fastmail.com - The professional email service
</pre>
</body>
</html>