<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>I don't know how much performance would be hurt on logout with a
large number of clients.</p>
<p>Sounds like you have a way to handle things. Maybe blog about
it? :)<br>
</p>
<br>
<div class="moz-cite-prefix">On 5/17/16 9:53 AM, Aikeaguinea wrote:<br>
</div>
<blockquote
cite="mid:1463493235.3334646.610310569.147B85A0@webmail.messagingengine.com"
type="cite">
<title></title>
<div>Would only the logout request experience significant delay,
or would logging out significantly slow down the entire system
when there is a large number of clients? We can probably work
with a long logout time per device.<br>
</div>
<div> </div>
<div>With regard to key rotation, we're initially planning on
using the UI to generate new credentials when we need new keys.
But couldn't we automate this by
calling /admin/realms/{realm}/clients/{id}/certificates/{attr}/generate-and-download
?<br>
</div>
<div> </div>
<div>On Mon, May 16, 2016, at 05:19 PM, Bill Burke wrote:<br>
</div>
<blockquote type="cite">
<p>I think the only thing that doesn't scale very well as it
pertains to number of clients is logout. Logout for OIDC
requires a redirect uri. We validate this uri by iterating
over every client's register register uri patterns.<br>
</p>
<p>We don't have any services on key rotation. That's all
something you'd have to implement yourself.<br>
</p>
<div> </div>
<div>On 5/16/16 3:37 PM, Henryk Konsek wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CALhQg-bkdc6P+UWL2+-H8jUN-pz2Ae_fBdh_mADKyZ+T=Rg8Yg@mail.gmail.com">
<div dir="ltr">
<div>IMHO mapping device per use should be fine. KeyCloak
scales well even for hundred of thousands of users, so it
will handle gazillion of devices as well. <br>
</div>
<div> </div>
<div>Cheers!<br>
</div>
</div>
<div> </div>
<div defang_data-gmailquote="yes">
<div dir="ltr">pon., 16.05.2016 o 16:29 użytkownik
Aikeaguinea <<a moz-do-not-send="true"
href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a>>
napisał:<br>
</div>
<blockquote
style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204,
204, 204);border-left-style:solid;padding-left:1ex;"
defang_data-gmailquote="yes">
<div>
<div>This is disappointing news, as when I asked this
same question back in January the answer was that the
intention is to have Keycloak scale to hundreds if not
thousands of clients, and if there were issues you'd
work with us on that.<br>
</div>
<div> <br>
</div>
<div>There's more to this issue than having a custom
authenticator; the client interface allows you to
click one button and generate the jks file containing
the client's private key. We would need this not only
for the first time a device is set up, but for key
rotation on an ongoing basis.<br>
</div>
<div> <br>
</div>
<div>Are there ways to plug into the user management
interface to allow generation of non-username/password
credentials for a user?<br>
</div>
</div>
<div>
<div> <br>
</div>
<div> <br>
</div>
<div>On Fri, May 13, 2016, at 02:11 AM, Stian Thorgersen
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi,<br>
</div>
<div> <br>
</div>
<div>That's a very interesting use-case. One which
we have wanted to look into ourselves, but haven't
had the resources. Ideally I'd say we'd have a
device concept in Keycloak as they're not strictly
clients or users. They'd most likely be backed by
users, but would have different screens for
configuration and would have separate
authentication flows. That would require a fair
bit of work to add though.<br>
</div>
<div> <br>
</div>
<div>In the mean time I don't think clients are a
good fit as Keycloak is not currently designed to
have large amounts of clients, both for
manageability and performance. Both of the issues
can be overcome fairly easily, but that would
require some work.<br>
</div>
<div> <br>
</div>
<div>The best solution in my opinion is to use users
and implement your own custom authenticator to
handle IOT devices. It's fairly simply to do and
gives you the ability to handle authentication of
the devices exactly how you want to. See <a
moz-do-not-send="true"
href="http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html"><a class="moz-txt-link-freetext" href="http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html">http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html</a></a>
for more details.<br>
</div>
<div> <br>
</div>
<div>I'd appreciate if you kept me updated on your
progress as I'm very interested :)<br>
</div>
</div>
<div>
<div> <br>
</div>
<div>
<div>On 12 May 2016 at 10:29, Matuszak, Eduard <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:eduard.matuszak@atos.net">eduard.matuszak@atos.net</a>></span>
wrote:<br>
</div>
<blockquote
style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204,
204,
204);border-left-style:solid;padding-left:1ex;">
<div>
<div> <br>
</div>
<div><span class="font"
style="font-family:Calibri"><span
class="size" style="font-size:small"><span
class="size" style="font-size:11pt">Hello</span></span></span><br>
</div>
<div> <br>
</div>
<div><span class="font"
style="font-family:Calibri"><span
class="size" style="font-size:small"><span
class="size" style="font-size:11pt">We
are planning to get a lot of devices,
identifyable by individual
certificates, into an IOT-system being
designed and developed at the moment.
We choosed to authenticate all actors
(users, software components and
devices as well) by OIDC-tokens and
(pre)decided to use Keycloak as ID
provider. User and software components
are quite straightforward to handle
with Keycloak (as Keycloak users with
the help of a user federation provider
& id brokerage and for
applications as Keycloak clients
respectively). But I am not sure of
how to represent our devices (we want
to support hundreds of thousands of
them later on!) by Keycloak means.</span></span></span><br>
</div>
<div> <br>
</div>
<div><span class="font"
style="font-family:Calibri"><span
class="size" style="font-size:small"><span
class="size" style="font-size:11pt">It
seems that we essentially have 2
possiblities to register a device in
Keycloak</span></span></span><br>
</div>
<ul
style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-left:36pt;">
<li><span class="font"
style="font-family:Calibri"><span
class="size" style="font-size:small"><span
class="size" style="font-size:11pt">As
a user</span></span></span><br>
</li>
<li><span class="font"
style="font-family:Calibri"><span
class="size" style="font-size:small"><span
class="size" style="font-size:11pt">As
a client</span></span></span><br>
</li>
</ul>
<div> <br>
</div>
<div><span class="font"
style="font-family:Calibri"><span
class="size" style="font-size:small"><span
class="size" style="font-size:11pt">By
representing devices as Keycloak
clients we might take advantage of the
ServiceAccount (Oauth-Client
Credential) flow and become able to
implement it via (dynamic!)
registration and it and seems, that we
will even be able to authenticate our
device by their certificates by
choosing "Signed Jwt" as authenticator
option.</span></span></span><br>
</div>
<div> <br>
</div>
<div><span class="font"
style="font-family:Calibri"><span
class="size" style="font-size:small"><span
class="size" style="font-size:11pt">My
question is, if it would be a good
idea to register a very big amount of
devices as Keycloak clients with
regards to performance and
manageability. In principle I would
prefer a user-representation
(faciliting usage of user federation
provider & id brokerage for
instance), but as far as I understood,
the appropriate flow would be Direct
Access (ResourceOwnerPassword
Credentials) and here we can only deal
with username/password instead of
certificates.</span></span></span><br>
</div>
<div> <br>
</div>
<div><span class="font"
style="font-family:Calibri"><span
class="size" style="font-size:small"><span
class="size" style="font-size:11pt">Do
you have any suggestions or hints
(even the conclusion, that Keycloak is
not the suitable
ID-provider-implementation for
large-scale IOT-systems)?</span></span></span><br>
</div>
<div> <br>
</div>
<div><span class="font"
style="font-family:Calibri"><span
class="size" style="font-size:small"><span
class="size" style="font-size:11pt"><span
class="font"
style="font-family:Verdana"><span
class="size"
style="font-size:small"><span
class="size"
style="font-size:9pt">Best
regards, Eduard Matuszak</span></span></span></span></span></span><br>
</div>
<div> <br>
</div>
<div><span class="font"
style="font-family:Calibri"><span
class="size" style="font-size:small"><span
class="size" style="font-size:11pt"><span
class="size" style="font-size:small"><span
class="size" style="font-size:9pt"> </span></span></span></span></span><br>
</div>
<div> <br>
</div>
<div> <br>
</div>
</div>
<div> <br>
</div>
<div>_______________________________________________<br>
</div>
<div>keycloak-user mailing list<br>
</div>
<div><a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
</div>
<div><a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</div>
</blockquote>
</div>
</div>
<div><u>_______________________________________________</u><br>
</div>
<div>keycloak-user mailing list<br>
</div>
<div><a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
</div>
<div><a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</div>
</blockquote>
<div> <br>
</div>
</div>
<div>
<div>
<div>--<br>
</div>
<div> Aikeaguinea<br>
</div>
<div> <a moz-do-not-send="true"
href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a><br>
</div>
<div> <br>
</div>
</div>
</div>
<div>
<div> <br>
</div>
<pre>--
<a moz-do-not-send="true" href="http://www.fastmail.com">http://www.fastmail.com</a> - Access your email from home and the web
</pre>
</div>
<div>_______________________________________________<br>
</div>
<div> keycloak-user mailing list<br>
</div>
<div> <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
</div>
<div> <a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</div>
</blockquote>
</div>
<div dir="ltr">-- <br>
</div>
<div dir="ltr">
<div>Henryk Konsek<br>
</div>
<div><a moz-do-not-send="true"
href="https://linkedin.com/in/hekonsek">https://linkedin.com/in/hekonsek</a><br>
</div>
</div>
<div> </div>
<div> </div>
<pre>_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a>
</pre>
</blockquote>
<div> </div>
<div><u>_______________________________________________</u><br>
</div>
<div>keycloak-user mailing list<br>
</div>
<div><a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
</div>
<div><a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</div>
</blockquote>
<div> </div>
<div id="sig3995191">
<div class="signature">--<br>
</div>
<div class="signature"> Aikeaguinea<br>
</div>
<div class="signature"> <a class="moz-txt-link-abbreviated" href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a><br>
</div>
<div class="signature"> </div>
</div>
<div> </div>
<pre>--
<a class="moz-txt-link-freetext" href="http://www.fastmail.com">http://www.fastmail.com</a> - Or how I learned to stop worrying and
love email again
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>