<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>
<div>Thank you for the detailed answer.</div>
<div>
<div id="">
<div>
<div><br>
</div>
<div>Moshe.</div>
<div><br>
<table border="0" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none;">
<tbody>
<tr style="height: 32.85pt;">
<td style="width: 100pt; border-style: none solid none none; border-right-color: rgb(165, 165, 165); border-right-width: 1.5pt; padding: 0in 1.4pt; height: 32.85pt;" valign="top" width="100">
<p style="margin: 0px; font-size: 12px; font-family: Helvetica;"><a href="http://www.perfectomobile.com"><img alt="" border="0" height="30" src="http://www.perfectomobile.com/sites/all/themes/perfecto/img/perfecto_email_logo.jpg" width="98"></a></p>
</td>
<td style="width: 364pt; border: none; padding: 0in 5.4pt; height: 32.85pt;" valign="top" width="364">
<p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 12pt;"><span style="font-family:calibri,sans-serif;"><span style="font-size:9pt;"><b>Moshe Ben-Shoham</b></span></span><b><o:p></o:p></b></p>
<p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 12pt;"><span style="font-family:calibri,sans-serif;"><span style="font-size:9pt;">R&D Director, System Architecture</span></span></p>
<span style="font-family:calibri,sans-serif;"><span style="font-size:9pt;"><font color="#82bb41">Phone:</font>
<span style="color: rgb(166, 166, 166);">+972-3-9260-137</span><br>
<font color="#82bb41">Mobile:</font> <span style="color: rgb(166, 166, 166);">+972 54 4324480</span><br>
<font color="#82bb41">Email:</font><span style="color: rgb(237, 125, 49);"> </span><span style="color:#A9A9A9;">mosheb@perfectomobile.com</span></span></span></td>
</tr>
</tbody>
</table>
</div>
<div>
<div id=""><br>
</div>
</div>
</div>
<div style="margin:0;padding:0;display:block;width:100%;height:auto;"><strong>How to Create the Right Mobile & Web Test Strategy: Live Webinar May 26</strong><br>
Build a customized test coverage strategy using 3 free tools! <a href="https://t.xink.io/Tracking/Index/FRMAABhHAADx8QcA0">Register to attend!</a></div>
<img src="https://t.xink.io/Tracking/Impression/whIAABhHAADx8QcA0" height="1px" width="1px" style="border: none;"></div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Stian Thorgersen <<a href="mailto:sthorger@redhat.com">sthorger@redhat.com</a>><br>
<span style="font-weight:bold">Reply-To: </span>"<a href="mailto:stian@redhat.com">stian@redhat.com</a>" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
<span style="font-weight:bold">Date: </span>Thursday, 19 May 2016 at 10:03 AM<br>
<span style="font-weight:bold">To: </span>Moshe Ben-Shoham <<a href="mailto:mosheb@perfectomobile.com">mosheb@perfectomobile.com</a>><br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>" <<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [keycloak-user] How to secure REST APIs with KeyCloak<br>
</div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">
<div>One option is to allow users to login through the script itself. Take a look at our customer-app-cli in the examples. It has two options one is to show the user a login that the user then opens and copy/pastes the code back to the application, the other
is it opens it in a browser and can the script can then read the token directly itself. You can combine this with changing the SSO idle/max configuration for the realm to determine how often a user needs to re-authenticate. You can also combine it with offline
token as well if you want the scripts to remain permanently authenticated.</div>
<div><br>
</div>
<div>Using direct access grants works as well. Rather than adding username/password to the script you should have the script request the username/password, then the script stores the token, not password. Same as above you'd configure SSO idle/max to determine
how often users need to re-authenticate, or you can use offline here as well. You're right that this won't support identity brokering, that's only available for the web flow.</div>
<div><br>
</div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 15 May 2016 at 20:59, Moshe Ben-Shoham <span dir="ltr">
<<a href="mailto:mosheb@perfectomobile.com" target="_blank">mosheb@perfectomobile.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
<div>Hi,</div>
<div><br>
</div>
<div>Iām trying to figure out the best way to secure REST APIs with KeyCloak. The REST APIs are to be invoked by unattended batch processes that are not KeyCloak clients but end-user scripts. I imagine a process in which the user generates a token using some
web app and then uses this token in his scripts in order to authenticate when invoking the REST APIs.</div>
<div><br>
</div>
<div>So far I have found 2 options, but none of them seems like a very good option:</div>
<div><br>
</div>
<div>(1) Use offline tokens ā according to the docs, offline token are to be used by KeyCloak clients that need to do things on behalf of the user. In my case, it is the end-user that needs the token and not a client. Should I build a dedicated client that
will create the offline tokens and give them to the end-user to use? Is this a misuse for offline tokens?</div>
<div><br>
</div>
<div>(2) Use Direct Access Grants ā seems like in this option, at least in its simplest form, the user needs to pass username and password to get a token. This means users need to keep their password in their scripts (or scripts configuration) and it is bad
practice. In addition, what happens when KeyCloak is configured to be an Identity Broker? In this case KeyCloak does not even know how to handle the user/password. </div>
<div><br>
</div>
<div>Any help is appreciated!</div>
<div>
<div></div>
</div>
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the
intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to
the message and deleting it from your computer. Thank you. </div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</span>The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is
not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying
to the message and deleting it from your computer. Thank you.
</body>
</html>