4:53 a.m.
Hi,
We are evaluating KeyCloak to be our SSO server, and we have a few questions regarding the
offline token usage.
First our high level use case is as follows:
We have multi-tenancy applications, each tenant will have its own realm (which means the
same clients will be defined for each realm).
One of the applications has 3 authentication scenarios:
1. User using SDK flow to access the application (by code)
2. Offline job
3. External micro service (not registered in KeyCloak) that needs to access our
application micro service
4. UI login
We thought to use offline token for the first three, and define a single client for UI and
micro services.
Does our approach make sense ? specially regarding the realm per tenant and the fact that
we will have to create the same clients for each realm,
The offline token usage for the authentication flows, and the single client for the UI and
micro service.
Regarding the offline tokens - why are they per client ? is it mean that when using the
client offline token (and getting the real token from KeyCloak) we will not be able to use
it for other client (within the realm) micro service ?
Also how can we generate them for each of the following cases (also described above):
1. User - should manually add the token to his code, so we thought to provide it within
the application, however how can we generate the offline token to already logged in user ?
we would like to avoid generating the offline token to all users and to use separate
offline login page.
2. Offline job - the offline job which is cross realms will use special operator realm,
the token will be generated manually by the admin which will stored it in the file system
for the offline job usage, how can the admin generate this token ? can it be done in the
admin console ? if not I guess we will have to create a service that logs him to the
application and generate the token, is there an alternative ?
3. Micro service - it's very similar flow to the offline job only that the admin
will have to create offline token per realm.
I hope it's not too much [https://issues.jboss.org/images/icons/emoticons/smile.png]
and any advice will be highly appreciated.
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from
disclosure, and may be privileged. The information is intended to be conveyed only to the
designated recipient(s) of the message. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, use, distribution or copying of
this communication is strictly prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by replying to the message and
deleting it from your computer. Thank you.
2:33 p.m.
Hi,
We are evaluating KeyCloak to be our SSO server, and we have a few questions regarding the
offline token usage.
First our high level use case is as follows:
We have multi-tenancy applications, each tenant will have its own realm (which means the
same clients will be defined for each realm).
One of the applications has 3 authentication scenarios:
1. User using SDK flow to access the application (by code)
2. Offline job
3. External micro service (not registered in KeyCloak) that needs to access our
application micro service
4. UI login
We thought to use offline token for the first three, and define a single client for UI and
micro services.
Does our approach make sense ? specially regarding the realm per tenant and the fact that
we will have to create the same clients for each realm,
The offline token usage for the authentication flows, and the single client for the UI and
micro service.
Regarding the offline tokens - why are they per client ? is it mean that when using the
client offline token (and getting the real token from KeyCloak) we will not be able to use
it for other client (within the realm) micro service ?
Also how can we generate them for each of the following cases (also described above):
1. User - should manually add the token to his code, so we thought to provide it within
the application, however how can we generate the offline token to already logged in user ?
we would like to avoid generating the offline token to all users and to use separate
offline login page.
2. Offline job - the offline job which is cross realms will use special operator realm,
the token will be generated manually by the admin which will stored it in the file system
for the offline job usage, how can the admin generate this token ? can it be done in the
admin console ? if not I guess we will have to create a service that logs him to the
application and generate the token, is there an alternative ?
3. Micro service - it's very similar flow to the offline job only that the admin
will have to create offline token per realm.
I hope it's not too much [https://issues.jboss.org/images/icons/emoticons/smile.png]
and any advice will be highly appreciated.
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from
disclosure, and may be privileged. The information is intended to be conveyed only to the
designated recipient(s) of the message. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, use, distribution or copying of
this communication is strictly prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by replying to the message and
deleting it from your computer. Thank you.
1:17 a.m.
On 18 May 2016 at 11:53, Haim Vana <haimv(a)perfectomobile.com> wrote:
Hi,
We are evaluating KeyCloak to be our SSO server, and we have a few
questions regarding the offline token usage.
First our high level use case is as follows:
We have multi-tenancy applications, each tenant will have its own realm
(which means the same clients will be defined for each realm).
One of the applications has 3 authentication scenarios:
1. User using SDK flow to access the application (by code)
2. Offline job
3. External micro service (not registered in KeyCloak) that needs to
access our application micro service
4. UI login
We thought to use offline token for the first three, and define a single
client for UI and micro services.
For #3 it sounds like a service account would be better.
Does our approach make sense ? specially regarding the realm per
tenant
and the fact that we will have to create the same clients for each realm,
The offline token usage for the authentication flows, and the single
client for the UI and micro service.
Regarding the offline tokens - why are they per client ? is it mean that
when using the client offline token (and getting the real token from
KeyCloak) we will not be able to use it for other client (within the realm)
micro service ?
Also how can we generate them for each of the following cases (also
described above):
1. User - should manually add the token to his code, so we thought to
provide it within the application, however how can we generate the offline
token to already logged in user ? we would like to avoid generating the
offline token to all users and to use separate offline login page.
Just do another redirect to login page and include ?scope=offline. If user
is already authenticated the user wouldn't have to login again.
2. Offline job - the offline job which is cross realms will use
special operator realm, the token will be generated manually by the admin
which will stored it in the file system for the offline job usage, how can
the admin generate this token ? can it be done in the admin console ? if
not I guess we will have to create a service that logs him to the
application and generate the token, is there an alternative ?
If the offline job is not acting on behalf of a user then use a service
account instead.
3. Micro service - it's very similar flow to the offline job
only that
the admin will have to create offline token per realm.
Same as above
I hope it's not too much [image:
https://issues.jboss.org/images/icons/emoticons/smile.png] and any advice
will be highly appreciated.
Thanks,
Haim.
The information contained in this message is proprietary to the sender,
protected from disclosure, and may be privileged. The information is
intended to be conveyed only to the designated recipient(s) of the message.
If the reader of this message is not the intended recipient, you are hereby
notified that any dissemination, use, distribution or copying of this
communication is strictly prohibited and may be unlawful. If you have
received this communication in error, please notify us immediately by
replying to the message and deleting it from your computer. Thank you.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3151
days inactive
3158
days old
2 comments
2 participants
participants (2)
-
Haim Vana -
Stian Thorgersen