<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>I don't know how much performance would be hurt on logout with a
      large number of clients.</p>
    <p>Sounds like you have a way to handle things.  Maybe blog about
      it? :)<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 5/17/16 9:53 AM, Aikeaguinea wrote:<br>
    </div>
    <blockquote
cite="mid:1463493235.3334646.610310569.147B85A0@webmail.messagingengine.com"
      type="cite">
      <title></title>
      <div>Would only the logout request experience significant delay,
        or would logging out significantly slow down the entire system
        when there is a large number of clients? We can probably work
        with a long logout time per device.<br>
      </div>
      <div> </div>
      <div>With regard to key rotation, we're initially planning on
        using the UI to generate new credentials when we need new keys.
        But couldn't we automate this by
calling /admin/realms/{realm}/clients/{id}/certificates/{attr}/generate-and-download
        ?<br>
      </div>
      <div> </div>
      <div>On Mon, May 16, 2016, at 05:19 PM, Bill Burke wrote:<br>
      </div>
      <blockquote type="cite">
        <p>I think the only thing that doesn't scale very well as it
          pertains to number of clients is logout.  Logout for OIDC
          requires a redirect uri.  We validate this uri by iterating
          over every client's register register uri patterns.<br>
        </p>
        <p>We don't have any services on key rotation.  That's all
          something you'd have to implement yourself.<br>
        </p>
        <div> </div>
        <div>On 5/16/16 3:37 PM, Henryk Konsek wrote:<br>
        </div>
        <blockquote type="cite"
cite="mid:CALhQg-bkdc6P+UWL2+-H8jUN-pz2Ae_fBdh_mADKyZ+T=Rg8Yg@mail.gmail.com">
          <div dir="ltr">
            <div>IMHO mapping device per use should be fine. KeyCloak
              scales well even for hundred of thousands of users, so it
              will handle gazillion of devices as well. <br>
            </div>
            <div> </div>
            <div>Cheers!<br>
            </div>
          </div>
          <div> </div>
          <div defang_data-gmailquote="yes">
            <div dir="ltr">pon., 16.05.2016 o 16:29 użytkownik
              Aikeaguinea &lt;<a moz-do-not-send="true"
                href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a>&gt;
              napisał:<br>
            </div>
            <blockquote
style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204,
              204, 204);border-left-style:solid;padding-left:1ex;"
              defang_data-gmailquote="yes">
              <div>
                <div>This is disappointing news, as when I asked this
                  same question back in January the answer was that the
                  intention is to have Keycloak scale to hundreds if not
                  thousands of clients, and if there were issues you'd
                  work with us on that.<br>
                </div>
                <div> <br>
                </div>
                <div>There's more to this issue than having a custom
                  authenticator; the client interface allows you to
                  click one button and generate the jks file containing
                  the client's private key. We would need this not only
                  for the first time a device is set up, but for key
                  rotation on an ongoing basis.<br>
                </div>
                <div> <br>
                </div>
                <div>Are there ways to plug into the user management
                  interface to allow generation of non-username/password
                  credentials for a user?<br>
                </div>
              </div>
              <div>
                <div> <br>
                </div>
                <div> <br>
                </div>
                <div>On Fri, May 13, 2016, at 02:11 AM, Stian Thorgersen
                  wrote:<br>
                </div>
                <blockquote type="cite">
                  <div dir="ltr">
                    <div>Hi,<br>
                    </div>
                    <div> <br>
                    </div>
                    <div>That's a very interesting use-case. One which
                      we have wanted to look into ourselves, but haven't
                      had the resources. Ideally I'd say we'd have a
                      device concept in Keycloak as they're not strictly
                      clients or users. They'd most likely be backed by
                      users, but would have different screens for
                      configuration and would have separate
                      authentication flows. That would require a fair
                      bit of work to add though.<br>
                    </div>
                    <div> <br>
                    </div>
                    <div>In the mean time I don't think clients are a
                      good fit as Keycloak is not currently designed to
                      have large amounts of clients, both for
                      manageability and performance. Both of the issues
                      can be overcome fairly easily, but that would
                      require some work.<br>
                    </div>
                    <div> <br>
                    </div>
                    <div>The best solution in my opinion is to use users
                      and implement your own custom authenticator to
                      handle IOT devices. It's fairly simply to do and
                      gives you the ability to handle authentication of
                      the devices exactly how you want to. See <a
                        moz-do-not-send="true"
href="http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html"><a class="moz-txt-link-freetext" href="http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html">http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html</a></a>
                      for more details.<br>
                    </div>
                    <div> <br>
                    </div>
                    <div>I'd appreciate if you kept me updated on your
                      progress as I'm very interested :)<br>
                    </div>
                  </div>
                  <div>
                    <div> <br>
                    </div>
                    <div>
                      <div>On 12 May 2016 at 10:29, Matuszak, Eduard <span
                          dir="ltr">&lt;<a moz-do-not-send="true"
                            href="mailto:eduard.matuszak@atos.net">eduard.matuszak@atos.net</a>&gt;</span>
                        wrote:<br>
                      </div>
                      <blockquote
style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204,
                        204,
                        204);border-left-style:solid;padding-left:1ex;">
                        <div>
                          <div> <br>
                          </div>
                          <div><span class="font"
                              style="font-family:Calibri"><span
                                class="size" style="font-size:small"><span
                                  class="size" style="font-size:11pt">Hello</span></span></span><br>
                          </div>
                          <div> <br>
                          </div>
                          <div><span class="font"
                              style="font-family:Calibri"><span
                                class="size" style="font-size:small"><span
                                  class="size" style="font-size:11pt">We
                                  are planning to get a lot of devices,
                                  identifyable by individual
                                  certificates, into an IOT-system being
                                  designed and developed at the moment.
                                  We choosed to authenticate all actors
                                  (users, software components and
                                  devices as well) by OIDC-tokens and
                                  (pre)decided to use Keycloak as ID
                                  provider. User and software components
                                  are quite straightforward to handle
                                  with Keycloak (as Keycloak users with
                                  the help of a user federation provider
                                  &amp; id brokerage and for
                                  applications as Keycloak clients
                                  respectively). But I am not sure of
                                  how to represent our devices (we want
                                  to support hundreds of thousands of
                                  them later on!) by Keycloak means.</span></span></span><br>
                          </div>
                          <div> <br>
                          </div>
                          <div><span class="font"
                              style="font-family:Calibri"><span
                                class="size" style="font-size:small"><span
                                  class="size" style="font-size:11pt">It
                                  seems that we essentially have 2
                                  possiblities to register a device in
                                  Keycloak</span></span></span><br>
                          </div>
                          <ul
style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-left:36pt;">
                            <li><span class="font"
                                style="font-family:Calibri"><span
                                  class="size" style="font-size:small"><span
                                    class="size" style="font-size:11pt">As
                                    a user</span></span></span><br>
                            </li>
                            <li><span class="font"
                                style="font-family:Calibri"><span
                                  class="size" style="font-size:small"><span
                                    class="size" style="font-size:11pt">As
                                    a client</span></span></span><br>
                            </li>
                          </ul>
                          <div> <br>
                          </div>
                          <div><span class="font"
                              style="font-family:Calibri"><span
                                class="size" style="font-size:small"><span
                                  class="size" style="font-size:11pt">By
                                  representing devices as Keycloak
                                  clients we might take advantage of the
                                  ServiceAccount (Oauth-Client
                                  Credential) flow and become able to
                                  implement it via (dynamic!)
                                  registration and it and seems, that we
                                  will even be able to authenticate our
                                  device by their certificates by
                                  choosing "Signed Jwt" as authenticator
                                  option.</span></span></span><br>
                          </div>
                          <div> <br>
                          </div>
                          <div><span class="font"
                              style="font-family:Calibri"><span
                                class="size" style="font-size:small"><span
                                  class="size" style="font-size:11pt">My
                                  question is, if it would be a good
                                  idea to register a very big amount of
                                  devices as Keycloak clients with
                                  regards to performance and
                                  manageability. In principle I would
                                  prefer a user-representation
                                  (faciliting usage of user federation
                                  provider &amp; id brokerage for
                                  instance), but as far as I understood,
                                  the appropriate flow would be Direct
                                  Access (ResourceOwnerPassword
                                  Credentials) and here we can only deal
                                  with username/password instead of
                                  certificates.</span></span></span><br>
                          </div>
                          <div> <br>
                          </div>
                          <div><span class="font"
                              style="font-family:Calibri"><span
                                class="size" style="font-size:small"><span
                                  class="size" style="font-size:11pt">Do
                                  you have any suggestions or hints
                                  (even the conclusion, that Keycloak is
                                  not the suitable
                                  ID-provider-implementation for
                                  large-scale IOT-systems)?</span></span></span><br>
                          </div>
                          <div> <br>
                          </div>
                          <div><span class="font"
                              style="font-family:Calibri"><span
                                class="size" style="font-size:small"><span
                                  class="size" style="font-size:11pt"><span
                                    class="font"
                                    style="font-family:Verdana"><span
                                      class="size"
                                      style="font-size:small"><span
                                        class="size"
                                        style="font-size:9pt">Best
                                        regards, Eduard Matuszak</span></span></span></span></span></span><br>
                          </div>
                          <div> <br>
                          </div>
                          <div><span class="font"
                              style="font-family:Calibri"><span
                                class="size" style="font-size:small"><span
                                  class="size" style="font-size:11pt"><span
                                    class="size" style="font-size:small"><span
                                      class="size" style="font-size:9pt"> </span></span></span></span></span><br>
                          </div>
                          <div> <br>
                          </div>
                          <div> <br>
                          </div>
                        </div>
                        <div> <br>
                        </div>
                        <div>_______________________________________________<br>
                        </div>
                        <div>keycloak-user mailing list<br>
                        </div>
                        <div><a moz-do-not-send="true"
                            href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
                        </div>
                        <div><a moz-do-not-send="true"
                            href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
                        </div>
                      </blockquote>
                    </div>
                  </div>
                  <div><u>_______________________________________________</u><br>
                  </div>
                  <div>keycloak-user mailing list<br>
                  </div>
                  <div><a moz-do-not-send="true"
                      href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
                  </div>
                  <div><a moz-do-not-send="true"
                      href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
                  </div>
                </blockquote>
                <div> <br>
                </div>
              </div>
              <div>
                <div>
                  <div>--<br>
                  </div>
                  <div>  Aikeaguinea<br>
                  </div>
                  <div> <a moz-do-not-send="true"
                      href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a><br>
                  </div>
                  <div> <br>
                  </div>
                </div>
              </div>
              <div>
                <div> <br>
                </div>
                <pre>-- 
<a moz-do-not-send="true" href="http://www.fastmail.com">http://www.fastmail.com</a> - Access your email from home and the web

</pre>
              </div>
              <div>_______________________________________________<br>
              </div>
              <div> keycloak-user mailing list<br>
              </div>
              <div> <a moz-do-not-send="true"
                  href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
              </div>
              <div> <a moz-do-not-send="true"
                  href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
              </div>
            </blockquote>
          </div>
          <div dir="ltr">-- <br>
          </div>
          <div dir="ltr">
            <div>Henryk Konsek<br>
            </div>
            <div><a moz-do-not-send="true"
                href="https://linkedin.com/in/hekonsek">https://linkedin.com/in/hekonsek</a><br>
            </div>
          </div>
          <div> </div>
          <div> </div>
          <pre>_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a>
</pre>
        </blockquote>
        <div> </div>
        <div><u>_______________________________________________</u><br>
        </div>
        <div>keycloak-user mailing list<br>
        </div>
        <div><a moz-do-not-send="true"
            href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
        </div>
        <div><a moz-do-not-send="true"
            href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
        </div>
      </blockquote>
      <div> </div>
      <div id="sig3995191">
        <div class="signature">--<br>
        </div>
        <div class="signature">  Aikeaguinea<br>
        </div>
        <div class="signature">  <a class="moz-txt-link-abbreviated" href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a><br>
        </div>
        <div class="signature"> </div>
      </div>
      <div> </div>
      <pre>-- 
<a class="moz-txt-link-freetext" href="http://www.fastmail.com">http://www.fastmail.com</a> - Or how I learned to stop worrying and
                          love email again
</pre>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
    </blockquote>
    <br>
  </body>
</html>