To support "agents" or other non-humans we intend to add two things to
Keycloak:
* Client accounts - these are basically a account that's linked to a specific client
* Client auth mechanisms - cert and/or jwt/jws auth mechanisms for clients
There's is standard flows in OpenID Connect for clients to authenticate as themselves
to retrieve tokens. We don't have this yet though.
Do you want an agent to authenticate as itself, or on behalf of a user? In either case for
the time being you should use direct grant to obtain a refresh token and store that. I
would recommend you create a small lib that makes it very easy for an agent to do that.
Something like (pseudo code, with no thoughts about usability):
Auth auth = Auth.init("client-id", "client-secret",
"username", "password");
String token = auth.getToken();
Under the covers this would invoke Keycloak's direct grant api to obtain a token. In
the future when we add support for client account and client auth mechanisms it could be
simplified to:
Auth auth = Auth.init("client-id", "client-secret");
or
X509Certificate cert = loadCert();
Auth auth = Auth.init("client-id", cert);
----- Original Message -----
From: "Juraci Paixão Kröhling"
<jpkroehling(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 26 May, 2015 7:08:08 PM
Subject: [keycloak-dev] Persistent token
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
For Hawkular, we have an agent that runs on behalf of an user on a
separate machine (a server), sending metrics to our backend, secured
by Keycloak.
While we could perform all the OAuth steps in our agent code, a goal
for us is to make it as easy as possible for third-parties to write
"agents". So, having a basic-auth-like scenario is the ideal scenario
for us.
I think I have discussed this scenario earlier with Marek and/or Stian
via IRC but I don't think a conclusion was made back then.
Basically, what we would need is either a "persistent token" or a
key/secret mechanism. For now, we are making the agent use the
basic-auth, but that implies in the agent knowing the user's password
(which is not ideal).
As I understand that there were some talks about this before, I would
like to understand what's the current (planned) solution for this
scenario. Depending on how it goes, I can start with a PoC and send it
as a PR for Keycloak.
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVZKh4AAoJECKM1e+fkPrXdoUH/3DJty468AQ0MQgo5SokCrfu
GvfGkDi0yMvOutsPdAYVGLxwUAFNFXICG1x/iP3UZYHcZgqzuclwMJQOV3/RKNAb
uGn5VlllV5rhUnJiF49QeGVrYwB/O9llkRty5jzIzo0vej8eZl8LIQroxjIwpCEQ
gy9OwBnj60mBcTvE33EgKKhAsBQ+aVKCFsc/LLDPxBljWvwk5o4OOwJ7HoqFoOI6
Jh78ehOJam1cJug8U3wBWvf9VI2cZzxTAw5fUlM7YBwqR1ewiYsk2XrxQP7DTu76
F0fYsi/fK2y8LA84K+QAztxXvOb5GiS/t6ZZAUER/ZkyzFUJ6qf908gwgqZKWA8=
=dcGk
-----END PGP SIGNATURE-----
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev