<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body><div>I realize these aren't clients in the sense Keycloak intends, but in this case Keycloak provides all the functionality I need without me having to rebuild it myself -- particularly with respect to generating and managing certificates. Since the devices are all under our control, the concept of a service account seems to fit even if the Keycloak concept of "client" really is intended for something else.<br></div>
<div> </div>
<div>Will using Keycloak clients for this purpose get us in trouble somehow?</div>
<div> </div>
<div> </div>
<div>On Wed, Jan 13, 2016, at 09:46 AM, Bill Burke wrote:<br></div>
<blockquote type="cite"><div>I think you'd be better served having public clients and developing
cert auth for users via our auth spi, as these are users aren't
they? They aren't clients in the sense of what Keycloak thinks of
as a client. A client in keycloak is really a service or web app.<br></div>
<div> </div>
<div>On 1/13/2016 2:43 AM, Stian Thorgersen
wrote:<br></div>
<blockquote type="cite" cite="mid:CAJgngAcUH=CSwHFXh5xzyzMxgCrxM0RfnVTR5KsdNN9qTCMiHQ@mail.gmail.com"><div dir="ltr">As Bill said we haven't tested with loads of
clients, but we need to be able to scale to hundreds or probably
thousand clients at least. So if you run into issues with it let
us know and we'll look into it.<br></div>
<div><div> </div>
<div><div>On 13 January 2016 at 01:18,
Aikeaguinea <span dir="ltr"><<a href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a>></span>
wrote:<br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204, 204, 204);border-left-style:solid;padding-left:1ex;"><div>I'd say
we're talking on the order of a hundred to start with; this<br></div>
<div>
could ramp up to multiples of that within a year or two. I
imagine the<br></div>
<div>
thing to do would be for us to do some stress testing of our
own.<br></div>
<div><div><div> </div>
<div>
On Tue, Jan 12, 2016, at 06:57 PM, Bill Burke wrote:<br></div>
<div>
> How many devices you talking about? I think it may
become an issue as<br></div>
<div>
> we haven't really stressed and benched with tons
(hundreds/thousands) of<br></div>
<div>
> clients.<br></div>
<div>
><br></div>
<div>
> On 1/12/2016 6:08 PM, Aikeaguinea wrote:<br></div>
<div>
> > We have a number of devices that need to
access APIs; for various<br></div>
<div>
> > reasons we need to use client certificates for
this purpose.<br></div>
<div>
> ><br></div>
<div>
> > I have noticed that Keycloak will allow
service accounts to authenticate<br></div>
<div>
> > using client certificates and that these
certificates can be generated<br></div>
<div>
> > within Keycloak. This looks like it fits our
needs well -- when we set<br></div>
<div>
> > up a new device we would need to set up a new
client and service account<br></div>
<div>
> > for it in Keycloak. I've verified through
testing that we can make this<br></div>
<div>
> > work.<br></div>
<div>
> ><br></div>
<div>
> > Ultimately we may have to manage a fairly
large number of devices, say<br></div>
<div>
> > in the hundreds. Is there any reason that
Keycloak would limit us in the<br></div>
<div>
> > number of clients we could create and manage
in this way?<br></div>
<div>
> ><br></div>
<div>
><br></div>
<div>
> --<br></div>
<div>
> Bill Burke<br></div>
<div>
> JBoss, a division of Red Hat<br></div>
<div>
> <a href="http://bill.burkecentral.com">http://bill.burkecentral.com</a><br></div>
<div>
><br></div>
<div>
> _______________________________________________<br></div>
<div>
> keycloak-user mailing list<br></div>
<div>
> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br></div>
<div>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></div>
<div> </div>
<div> </div>
</div>
</div>
<div><span><span class="colour" style="color:rgb(136, 136, 136)">--<br>
Aikeaguinea<br> <a href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a><br> <br>
--<br> <a href="http://www.fastmail.com">http://www.fastmail.com</a>
- Or how I learned to stop worrying and<br>
love email again<br></span></span></div>
<div><div><div> </div>
<div>
_______________________________________________<br></div>
<div>
keycloak-user mailing list<br></div>
<div> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br></div>
<div> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></div>
</div>
</div>
</blockquote></div>
<div> </div>
</div>
<div> </div>
<div> </div>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></pre></blockquote><div> </div>
<pre>--
Bill Burke
JBoss, a division of Red Hat
<a href="http://bill.burkecentral.com">http://bill.burkecentral.com</a><br></pre><div><u>_______________________________________________</u><br></div>
<div>keycloak-user mailing list<br></div>
<div><a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br></div>
<div><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></div>
</blockquote><div> </div>
<div id="sig3995191"><div class="signature">--<br></div>
<div class="signature"> Aikeaguinea<br></div>
<div class="signature"> aikeaguinea@xsmail.com<br></div>
<div class="signature"> </div>
</div>
<div> </div>
<pre>
--
http://www.fastmail.com - The way an email service should be
</pre>
</body>
</html>