<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body><div>Would only the logout request experience significant delay, or would logging out significantly slow down the entire system when there is a large number of clients? We can probably work with a long logout time per device.<br></div>
<div> </div>
<div>With regard to key rotation, we're initially planning on using the UI to generate new credentials when we need new keys. But couldn't we automate this by calling /admin/realms/{realm}/clients/{id}/certificates/{attr}/generate-and-download ?<br></div>
<div> </div>
<div>On Mon, May 16, 2016, at 05:19 PM, Bill Burke wrote:<br></div>
<blockquote type="cite"><p>I think the only thing that doesn't scale very well as it
pertains to number of clients is logout. Logout for OIDC requires
a redirect uri. We validate this uri by iterating over every
client's register register uri patterns.<br></p><p>We don't have any services on key rotation. That's all something
you'd have to implement yourself.<br></p><div> </div>
<div>On 5/16/16 3:37 PM, Henryk Konsek
wrote:<br></div>
<blockquote type="cite" cite="mid:CALhQg-bkdc6P+UWL2+-H8jUN-pz2Ae_fBdh_mADKyZ+T=Rg8Yg@mail.gmail.com"><div dir="ltr"><div>IMHO mapping device per use should be fine.
KeyCloak scales well even for hundred of thousands of users, so
it will handle gazillion of devices as well. <br></div>
<div> </div>
<div>Cheers!<br></div>
</div>
<div> </div>
<div defang_data-gmailquote="yes"><div dir="ltr">pon., 16.05.2016 o 16:29 użytkownik Aikeaguinea
<<a href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a>>
napisał:<br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204, 204, 204);border-left-style:solid;padding-left:1ex;" defang_data-gmailquote="yes"><div><div>This is disappointing news, as when I asked this same
question back in January the answer was that the intention
is to have Keycloak scale to hundreds if not thousands of
clients, and if there were issues you'd work with us on
that.<br></div>
<div> <br></div>
<div>There's more to this issue than having a custom
authenticator; the client interface allows you to click
one button and generate the jks file containing the
client's private key. We would need this not only for the
first time a device is set up, but for key rotation on an
ongoing basis.<br></div>
<div> <br></div>
<div>Are there ways to plug into the user management
interface to allow generation of non-username/password
credentials for a user?<br></div>
</div>
<div><div> <br></div>
<div> <br></div>
<div>On Fri, May 13, 2016, at 02:11 AM, Stian Thorgersen
wrote:<br></div>
<blockquote type="cite"><div dir="ltr"><div>Hi,<br></div>
<div> <br></div>
<div>That's a very interesting use-case. One which we
have wanted to look into ourselves, but haven't had
the resources. Ideally I'd say we'd have a device
concept in Keycloak as they're not strictly clients or
users. They'd most likely be backed by users, but
would have different screens for configuration and
would have separate authentication flows. That would
require a fair bit of work to add though.<br></div>
<div> <br></div>
<div>In the mean time I don't think clients are a good
fit as Keycloak is not currently designed to have
large amounts of clients, both for manageability and
performance. Both of the issues can be overcome fairly
easily, but that would require some work.<br></div>
<div> <br></div>
<div>The best solution in my opinion is to use users and
implement your own custom authenticator to handle IOT
devices. It's fairly simply to do and gives you the
ability to handle authentication of the devices
exactly how you want to. See <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html">http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html</a> for more details.<br></div>
<div> <br></div>
<div>I'd appreciate if you kept me updated on your
progress as I'm very interested :)<br></div>
</div>
<div><div> <br></div>
<div><div>On 12 May 2016 at 10:29, Matuszak, Eduard <span dir="ltr"><<a href="mailto:eduard.matuszak@atos.net">eduard.matuszak@atos.net</a>></span> wrote:<br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204, 204, 204);border-left-style:solid;padding-left:1ex;"><div><div> <br></div>
<div><span class="font" style="font-family:Calibri"><span class="size" style="font-size:small"><span class="size" style="font-size:11pt">Hello</span></span></span><br></div>
<div> <br></div>
<div><span class="font" style="font-family:Calibri"><span class="size" style="font-size:small"><span class="size" style="font-size:11pt">We are planning to
get a lot of devices, identifyable by
individual certificates, into an
IOT-system being designed and developed at
the moment. We choosed to authenticate all
actors (users, software components and
devices as well) by OIDC-tokens and
(pre)decided
to use Keycloak as ID provider. User and
software components are quite
straightforward to handle with Keycloak
(as Keycloak users with the help of a user
federation provider & id brokerage and
for applications as Keycloak clients
respectively). But I am not
sure of how to represent our devices (we
want to support hundreds of thousands of
them later on!) by Keycloak means.</span></span></span><br></div>
<div> <br></div>
<div><span class="font" style="font-family:Calibri"><span class="size" style="font-size:small"><span class="size" style="font-size:11pt">It seems that we
essentially have 2 possiblities to
register a device in Keycloak</span></span></span><br></div>
<ul style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-left:36pt;"><li><span class="font" style="font-family:Calibri"><span class="size" style="font-size:small"><span class="size" style="font-size:11pt">As a user</span></span></span><br></li><li><span class="font" style="font-family:Calibri"><span class="size" style="font-size:small"><span class="size" style="font-size:11pt">As a client</span></span></span><br></li></ul><div> <br></div>
<div><span class="font" style="font-family:Calibri"><span class="size" style="font-size:small"><span class="size" style="font-size:11pt">By representing
devices as Keycloak clients we might take
advantage of the ServiceAccount
(Oauth-Client Credential) flow and become
able to implement it via (dynamic!)
registration and it and seems, that we
will even be able to authenticate our
device
by their certificates by choosing "Signed
Jwt" as authenticator option.</span></span></span><br></div>
<div> <br></div>
<div><span class="font" style="font-family:Calibri"><span class="size" style="font-size:small"><span class="size" style="font-size:11pt">My question is, if
it would be a good idea to register a very
big amount of devices as Keycloak clients
with regards to performance and
manageability. In principle I would prefer
a user-representation (faciliting usage of
user federation provider & id
brokerage for instance), but as far as I
understood, the appropriate flow would be
Direct Access (ResourceOwnerPassword
Credentials) and here we can only deal
with username/password instead of
certificates.</span></span></span><br></div>
<div> <br></div>
<div><span class="font" style="font-family:Calibri"><span class="size" style="font-size:small"><span class="size" style="font-size:11pt">Do you have any
suggestions or hints (even the conclusion,
that Keycloak is not the suitable
ID-provider-implementation for large-scale
IOT-systems)?</span></span></span><br></div>
<div> <br></div>
<div><span class="font" style="font-family:Calibri"><span class="size" style="font-size:small"><span class="size" style="font-size:11pt"><span class="font" style="font-family:Verdana"><span class="size" style="font-size:small"><span class="size" style="font-size:9pt">Best regards,
Eduard Matuszak</span></span></span></span></span></span><br></div>
<div> <br></div>
<div><span class="font" style="font-family:Calibri"><span class="size" style="font-size:small"><span class="size" style="font-size:11pt"><span class="size" style="font-size:small"><span class="size" style="font-size:9pt"> </span></span></span></span></span><br></div>
<div> <br></div>
<div> <br></div>
</div>
<div> <br></div>
<div>_______________________________________________<br></div>
<div>keycloak-user mailing list<br></div>
<div><a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br></div>
<div><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></div>
</blockquote></div>
</div>
<div><u>_______________________________________________</u><br></div>
<div>keycloak-user mailing list<br></div>
<div><a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br></div>
<div><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></div>
</blockquote><div> <br></div>
</div>
<div><div><div>--<br></div>
<div> Aikeaguinea<br></div>
<div> <a href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a><br></div>
<div> <br></div>
</div>
</div>
<div><div> <br></div>
<pre>--
<a href="http://www.fastmail.com">http://www.fastmail.com</a> - Access your email from home and the web
<br></pre></div>
<div>_______________________________________________<br></div>
<div> keycloak-user mailing list<br></div>
<div> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br></div>
<div> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></div>
</blockquote></div>
<div dir="ltr">-- <br></div>
<div dir="ltr"><div>Henryk Konsek<br></div>
<div><a href="https://linkedin.com/in/hekonsek">https://linkedin.com/in/hekonsek</a><br></div>
</div>
<div> </div>
<div> </div>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></pre></blockquote><div> </div>
<div><u>_______________________________________________</u><br></div>
<div>keycloak-user mailing list<br></div>
<div><a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br></div>
<div><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></div>
</blockquote><div> </div>
<div id="sig3995191"><div class="signature">--<br></div>
<div class="signature"> Aikeaguinea<br></div>
<div class="signature"> aikeaguinea@xsmail.com<br></div>
<div class="signature"> </div>
</div>
<div> </div>
<pre>
--
http://www.fastmail.com - Or how I learned to stop worrying and
love email again
</pre>
</body>
</html>