Re: [keycloak-user] Announce - Secret Store

On 20.01.2016 17:12, Bill Burke wrote: > What you are describing MAKES ZERO SENSE. From your document: > > "A token is created when an user reaches the path > |/secret-store/v1/tokens/create| via GET (or passing the username and > password as Basic authentication via POST) and stored into a Cassandra > data store:" > > You are doing EXACTLY what the direct grant REST api does except you are > using basic auth. I still don't see the purpose of this service. Those are performed in different steps. The user creates this token via an UI (or CLI, if needed), then use this key/secret as the credentials on the client. The client has no knowledge about Keycloak, OAuth, or about any meta data that was embedded into this opaque token. All it cares is that it's going to call the end service using basic auth. The secret store is *not* for every application: it's targeted to clients where OAuth handling is costly, undesirable or even impossible (like legacy applications). So, instead of entering the user's own credentials there, the key/secret are used instead. Our "metrics collector agent" is the main target for this: the knowledge about auth doesn't belong there. All it needs to know is an "user" and "password", which are the "key" and "secret" for the token. Where Keycloak is, how to create an access token from an offline token, how long to keep an access token, and so on is made at the secret store, as we need to save every processing cycle possible, to not badly influence a server that is being monitored (and possibly, already in a bad shape). Of course, if you can live with your password being stored in plaintext on the clients, you don't need the secret store. But honestly, that seems ridiculous.