3:43 a.m.
On 11.12.2014 18:07, Ruben Lopez wrote:
I have a couple more questions.
1) Will you implement the features requested in KEYCLOAK-402 and
KEYCLOAK-405? If so, when?
Hard to say exactly, but looks that it will be quite
soon as it is
requirement from more people and potential customers . Hopefully in
terms of weeks/months, but hard to promise exact date... I think it
would require enhance our existing password policies, but those would be
a bit harder to add than current simple policies as it will also require
to store some info in database (like password expiration time and older
passwords)
2) Are there any plans to support Integrated Windows Authentication?
You mean login to KC when user is already logged in windows domain? Yes,
we have plan for add Kerberos/spnego soon and I think that it should
solve windows domain authentication too. Hopefully around January.
Marek
Thanks :)
2014-11-28 5:04 GMT-03:00 Stian Thorgersen <stian(a)redhat.com
<mailto:stian@redhat.com>>:
----- Original Message -----
> From: "Ruben Lopez" <rubenlop88(a)gmail.com
<mailto:rubenlop88@gmail.com>>
> To: "Marek Posolda" <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>>
> Cc: keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
> Sent: Thursday, 27 November, 2014 5:37:45 PM
> Subject: Re: [keycloak-user] Questions about keycloak
>
> Hi Marek,
>
> 2014-11-27 12:38 GMT-03:00 Marek Posolda < mposolda(a)redhat.com
<mailto:mposolda@redhat.com> > :
>
>
>
>
>
> 1 - Is there any way to obtain an access token for an OAuth
Client via Client
> Credentials[1]?
> You mean something like Service account like this from OAuth2 specs
> http://tools.ietf.org/html/rfc6749#page-40 ? We don't have that
yet, but
> there are plans to support it afaik.
>
>
>
>
> Yes, I was talking about secction 4.4 Client Credentials Grant.
Any idea
> about when it will be implemented?
I can't give you and exact date, but it's becoming more and more
of a priority so should be within a few months. We also plan to
add cert based authentication for clients.
In the mean-time you can work-around this issue by creating a user
on behalf of the client and use Resource Owner Password
Credentials Grant (section #4.3). Look at
'examples/preconfigured-demo/admin-access' in the download for an
example.
>
>
>
>
>
>
> 2 - If we make a request to an Application (Resource Server)
with an access
> token and this Application needs to talk to another protected
Application to
> form the response to the client, how does the first Application
> authenticates to the second Application? Does Keycloak
implements something
> like Chain Grant Type Profile[2]?
> yes, that is doable. We have an example where we have frontend
application
> like 'customer-portal', which is able to retrieve accessToken
from keycloak
> like here:
>
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/c...
> and then use this accessToken to send request to backend application
> 'database-service' in Authorization header
>
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/c...
> . Database-service is then able to authenticate the token.
>
> Currently our database-service is directly serving requests and
send back
> data, but it shouldn't be a problem to add another application
to the chain,
> so that database-service will send the token again to another
app like
> 'real-database-service', which will return data and those data
will be sent
> back to the original frontent requestor (customer-portal). Is it
something
> what you meant?
>
> Thats exactly what I meant. I will take a look at the example.
>
> Thank you very much.
>
>
>
>
>
> Marek
>
>
>
>
> Thanks in advance.
>
>
> _______________________________________________
> keycloak-user mailing list keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user