2:04 a.m.
----- Original Message -----
From: "Ruben Lopez" <rubenlop88(a)gmail.com>
To: "Marek Posolda" <mposolda(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Thursday, 27 November, 2014 5:37:45 PM
Subject: Re: [keycloak-user] Questions about keycloak
Hi Marek,
2014-11-27 12:38 GMT-03:00 Marek Posolda < mposolda(a)redhat.com > :
1 - Is there any way to obtain an access token for an OAuth Client via Client
Credentials[1]?
You mean something like Service account like this from OAuth2 specs
http://tools.ietf.org/html/rfc6749#page-40 ? We don't have that yet, but
there are plans to support it afaik.
Yes, I was talking about secction 4.4 Client Credentials Grant. Any idea
about when it will be implemented?
I can't give you and exact date, but it's becoming more and more of a priority so
should be within a few months. We also plan to add cert based authentication for clients.
In the mean-time you can work-around this issue by creating a user on behalf of the client
and use Resource Owner Password Credentials Grant (section #4.3). Look at
'examples/preconfigured-demo/admin-access' in the download for an example.
2 - If we make a request to an Application (Resource Server) with an access
token and this Application needs to talk to another protected Application to
form the response to the client, how does the first Application
authenticates to the second Application? Does Keycloak implements something
like Chain Grant Type Profile[2]?
yes, that is doable. We have an example where we have frontend application
like 'customer-portal', which is able to retrieve accessToken from keycloak
like here:
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/c...
and then use this accessToken to send request to backend application
'database-service' in Authorization header
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/c...
. Database-service is then able to authenticate the token.
Currently our database-service is directly serving requests and send back
data, but it shouldn't be a problem to add another application to the chain,
so that database-service will send the token again to another app like
'real-database-service', which will return data and those data will be sent
back to the original frontent requestor (customer-portal). Is it something
what you meant?
Thats exactly what I meant. I will take a look at the example.
Thank you very much.
Marek
Thanks in advance.
_______________________________________________
keycloak-user mailing list keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user