You mean something like Service account like this from OAuth2 specs http://tools.ietf.org/html/rfc6749#page-40 ? We don't have that yet, but there are plans to support it afaik.1 - Is there any way to obtain an access token for an OAuth Client via Client Credentials[1]?
yes, that is doable. We have an example where we have frontend application like 'customer-portal', which is able to retrieve accessToken from keycloak like here: https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48 and then use this accessToken to send request to backend application 'database-service' in Authorization header https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L54 . Database-service is then able to authenticate the token.2 - If we make a request to an Application (Resource Server) with an access token and this Application needs to talk to another protected Application to form the response to the client, how does the first Application authenticates to the second Application? Does Keycloak implements something like Chain Grant Type Profile[2]?
Currently our database-service is directly serving requests and send back data, but it shouldn't be a problem to add another application to the chain, so that database-service will send the token again to another app like 'real-database-service', which will return data and those data will be sent back to the original frontent requestor (customer-portal). Is it something what you meant?
Marek
Thanks in advance.
_______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user