I realize these aren't clients in the sense Keycloak intends, but in this case Keycloak provides all the functionality I need without me having to rebuild it myself -- particularly with respect to generating and managing certificates. Since the devices are all under our control, the concept of a service account seems to fit even if the Keycloak concept of "client" really is intended for something else.
 
Will using Keycloak clients for this purpose get us in trouble somehow?
 
 
On Wed, Jan 13, 2016, at 09:46 AM, Bill Burke wrote:
I think you'd be better served having public clients and developing cert auth for users via our auth spi, as these are users aren't they?  They aren't clients in the sense of what Keycloak thinks of as a client.  A client in keycloak is really a service or web app.
 
On 1/13/2016 2:43 AM, Stian Thorgersen wrote:
As Bill said we haven't tested with loads of clients, but we need to be able to scale to hundreds or probably thousand clients at least. So if you run into issues with it let us know and we'll look into it.
 
On 13 January 2016 at 01:18, Aikeaguinea <aikeaguinea@xsmail.com> wrote:
I'd say we're talking on the order of a hundred to start with; this
could ramp up to multiples of that within a year or two. I imagine the
thing to do would be for us to do some stress testing of our own.
 
On Tue, Jan 12, 2016, at 06:57 PM, Bill Burke wrote:
> How many devices you talking about?  I think it may become an issue as
> we haven't really stressed and benched with tons (hundreds/thousands) of
> clients.
>
> On 1/12/2016 6:08 PM, Aikeaguinea wrote:
> > We have a number of devices that need to access APIs; for various
> > reasons we need to use client certificates for this purpose.
> >
> > I have noticed that Keycloak will allow service accounts to authenticate
> > using client certificates and that these certificates can be generated
> > within Keycloak. This looks like it fits our needs well -- when we set
> > up a new device we would need to set up a new client and service account
> > for it in Keycloak. I've verified through testing that we can make this
> > work.
> >
> > Ultimately we may have to manage a fairly large number of devices, say
> > in the hundreds. Is there any reason that Keycloak would limit us in the
> > number of clients we could create and manage in this way?
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
> _______________________________________________
> keycloak-user mailing list
 
 
--
  Aikeaguinea
aikeaguinea@xsmail.com

--
http://www.fastmail.com - Or how I learned to stop worrying and
                          love email again
 
_______________________________________________
keycloak-user mailing list
 
 
 
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user
 
-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
 
--
  Aikeaguinea
  aikeaguinea@xsmail.com
 
 
-- 
http://www.fastmail.com - The way an email service should be