<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
span.EmailStyle18
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
span.apple-converted-space
        {mso-style-name:apple-converted-space;}
span.EmailStyle20
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
span.EmailStyle21
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:1529642933;
        mso-list-template-ids:1407890658;}
@list l0:level1
        {mso-level-tab-stop:.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level2
        {mso-level-tab-stop:1.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level3
        {mso-level-tab-stop:1.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level4
        {mso-level-tab-stop:2.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level5
        {mso-level-tab-stop:2.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level6
        {mso-level-tab-stop:3.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level7
        {mso-level-tab-stop:3.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level8
        {mso-level-tab-stop:4.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level9
        {mso-level-tab-stop:4.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1
        {mso-list-id:1657413082;
        mso-list-template-ids:-1254196410;}
@list l1:level1
        {mso-level-tab-stop:.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level2
        {mso-level-tab-stop:1.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level3
        {mso-level-tab-stop:1.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level4
        {mso-level-tab-stop:2.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level5
        {mso-level-tab-stop:2.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level6
        {mso-level-tab-stop:3.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level7
        {mso-level-tab-stop:3.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level8
        {mso-level-tab-stop:4.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level9
        {mso-level-tab-stop:4.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal" style="line-height:15.0pt;background:white"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Hi,<br>
We are evaluating KeyCloak to be our SSO server, and we have a few questions regarding the offline token usage.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:7.5pt;line-height:15.0pt;background:white">
<span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">First our high level use case is as follows:<br>
We have multi-tenancy applications, each tenant will have its own realm (which means the same clients will be defined for each realm).<br>
One of the applications has 3 authentication scenarios:<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;text-indent:-.25in;line-height:15.0pt;mso-list:l1 level1 lfo2;background:white">
<![if !supportLists]><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span dir="LTR"></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">User using SDK flow to access the application (by code)<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;text-indent:-.25in;line-height:15.0pt;mso-list:l1 level1 lfo2;background:white">
<![if !supportLists]><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span dir="LTR"></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Offline job<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;text-indent:-.25in;line-height:15.0pt;mso-list:l1 level1 lfo2;background:white">
<![if !supportLists]><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span dir="LTR"></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">External micro service (not registered in KeyCloak) that needs to access our application micro service<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;text-indent:-.25in;line-height:15.0pt;mso-list:l1 level1 lfo2;background:white">
<![if !supportLists]><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><span style="mso-list:Ignore">4.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span dir="LTR"></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">UI login<br>
We thought to use offline token for the first three, and define a single client for UI and micro services.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:7.5pt;line-height:15.0pt;background:white">
<span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Does our approach make sense ? specially regarding the realm per tenant and the fact that we will have to create the same clients for each realm,<br>
The offline token usage for the authentication flows, and the single client for the UI and micro service.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:7.5pt;line-height:15.0pt;background:white">
<span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Regarding the offline tokens - why are they per client ? is it mean that when using the client offline token (and getting the real token from KeyCloak) we will not be able to use it
for other client (within the realm) micro service ?<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:7.5pt;line-height:15.0pt;background:white">
<span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Also how can we generate them for each of the following cases (also described above):<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;text-indent:-.25in;line-height:15.0pt;mso-list:l0 level1 lfo4;background:white">
<![if !supportLists]><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span dir="LTR"></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">User - should manually add the token to his code, so we thought to provide it within the application, however how can we generate
the offline token to already logged in user ? we would like to avoid generating the offline token to all users and to use separate offline login page.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;text-indent:-.25in;line-height:15.0pt;mso-list:l0 level1 lfo4;background:white">
<![if !supportLists]><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span dir="LTR"></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Offline job - the offline job which is cross realms will use special operator realm, the token will be generated manually by the
admin which will stored it in the file system for the offline job usage, how can the admin generate this token ? can it be done in the admin console ? if not I guess we will have to create a service that logs him to the application and generate the token,
is there an alternative ?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;text-indent:-.25in;line-height:15.0pt;mso-list:l0 level1 lfo4;background:white">
<![if !supportLists]><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span dir="LTR"></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Micro service - it's very similar flow to the offline job only that the admin will have to create offline token per realm.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:7.5pt;line-height:15.0pt;background:white">
<span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">I hope it's not too much <img width="16" height="16" id="Picture_x0020_1" src="cid:image001.png@01D1B3B0.D6DA6CF0" alt="https://issues.jboss.org/images/icons/emoticons/smile.png"> and
any advice will be highly appreciated.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:7.5pt;line-height:15.0pt;background:white">
<span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-top:7.5pt;line-height:15.0pt;background:white">
<span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Thanks,<br>
Haim.<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the
intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to
the message and deleting it from your computer. Thank you.
</body>
</html>