<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 18 May 2016 at 11:53, Haim Vana <span dir="ltr"><<a href="mailto:haimv@perfectomobile.com" target="_blank">haimv@perfectomobile.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div>
<p class="MsoNormal" style="line-height:15.0pt;background:white"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Hi,<br>
We are evaluating KeyCloak to be our SSO server, and we have a few questions regarding the offline token usage.<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-top:7.5pt;line-height:15.0pt;background:white">
<span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">First our high level use case is as follows:<br>
We have multi-tenancy applications, each tenant will have its own realm (which means the same clients will be defined for each realm).<br>
One of the applications has 3 authentication scenarios:<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:0in;line-height:15.0pt;background:white">
<u></u><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><span>1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span dir="LTR"></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">User using SDK flow to access the application (by code)<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:0in;line-height:15.0pt;background:white">
<u></u><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><span>2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span dir="LTR"></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Offline job<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:0in;line-height:15.0pt;background:white">
<u></u><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><span>3.<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span dir="LTR"></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">External micro service (not registered in KeyCloak) that needs to access our application micro service<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:0in;line-height:15.0pt;background:white">
<u></u><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><span>4.<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span dir="LTR"></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">UI login<br>
We thought to use offline token for the first three, and define a single client for UI and micro services.</span></p></div></div></blockquote><div><br></div><div>For #3 it sounds like a service account would be better.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div><p class="MsoNormal" style="margin-left:0in;line-height:15.0pt;background:white"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><u></u><u></u></span></p>
<p class="MsoNormal" style="margin-top:7.5pt;line-height:15.0pt;background:white">
<span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Does our approach make sense ? specially regarding the realm per tenant and the fact that we will have to create the same clients for each realm,<br>
The offline token usage for the authentication flows, and the single client for the UI and micro service.<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-top:7.5pt;line-height:15.0pt;background:white">
<span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Regarding the offline tokens - why are they per client ? is it mean that when using the client offline token (and getting the real token from KeyCloak) we will not be able to use it
for other client (within the realm) micro service ?<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-top:7.5pt;line-height:15.0pt;background:white">
<span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Also how can we generate them for each of the following cases (also described above):<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:0in;line-height:15.0pt;background:white">
<u></u><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><span>1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span dir="LTR"></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">User - should manually add the token to his code, so we thought to provide it within the application, however how can we generate
the offline token to already logged in user ? we would like to avoid generating the offline token to all users and to use separate offline login page.</span></p></div></div></blockquote><div><br></div><div>Just do another redirect to login page and include ?scope=offline. If user is already authenticated the user wouldn't have to login again.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div><p class="MsoNormal" style="margin-left:0in;line-height:15.0pt;background:white"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:0in;line-height:15.0pt;background:white">
<u></u><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><span>2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span dir="LTR"></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Offline job - the offline job which is cross realms will use special operator realm, the token will be generated manually by the
admin which will stored it in the file system for the offline job usage, how can the admin generate this token ? can it be done in the admin console ? if not I guess we will have to create a service that logs him to the application and generate the token,
is there an alternative ?</span></p></div></div></blockquote><div><br></div><div>If the offline job is not acting on behalf of a user then use a service account instead.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div><p class="MsoNormal" style="margin-left:0in;line-height:15.0pt;background:white"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:0in;line-height:15.0pt;background:white">
<u></u><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><span>3.<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span dir="LTR"></span><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Micro service - it's very similar flow to the offline job only that the admin will have to create offline token per realm.</span></p></div></div></blockquote><div><br></div><div>Same as above <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div><p class="MsoNormal" style="margin-left:0in;line-height:15.0pt;background:white"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><u></u><u></u></span></p>
<p class="MsoNormal" style="margin-top:7.5pt;line-height:15.0pt;background:white">
<span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">I hope it's not too much <img width="16" height="16" src="cid:image001.png@01D1B104.42DADC00" alt="https://issues.jboss.org/images/icons/emoticons/smile.png"> and
any advice will be highly appreciated.<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-top:7.5pt;line-height:15.0pt;background:white">
<span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-top:7.5pt;line-height:15.0pt;background:white">
<span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333">Thanks,<br>
Haim.<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the
intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to
the message and deleting it from your computer. Thank you.
</div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div></div>