Hard to say exactly, but looks that it will be quite soon as it is requirement from more people and potential customers . Hopefully in terms of weeks/months, but hard to promise exact date... I think it would require enhance our existing password policies, but those would be a bit harder to add than current simple policies as it will also require to store some info in database (like password expiration time and older passwords)I have a couple more questions.
1) Will you implement the features requested in KEYCLOAK-402 and KEYCLOAK-405? If so, when?
You mean login to KC when user is already logged in windows domain? Yes, we have plan for add Kerberos/spnego soon and I think that it should solve windows domain authentication too. Hopefully around January.2) Are there any plans to support Integrated Windows Authentication?
Thanks :)
2014-11-28 5:04 GMT-03:00 Stian Thorgersen <stian@redhat.com>:
----- Original Message -----
> From: "Ruben Lopez" <rubenlop88@gmail.com>
> To: "Marek Posolda" <mposolda@redhat.com>
> Cc: keycloak-user@lists.jboss.org
> Sent: Thursday, 27 November, 2014 5:37:45 PM
> Subject: Re: [keycloak-user] Questions about keycloak
>
> Hi Marek,
>
> 2014-11-27 12:38 GMT-03:00 Marek Posolda < mposolda@redhat.com > :
>
>
>
>
>
> 1 - Is there any way to obtain an access token for an OAuth Client via Client
> Credentials[1]?
> You mean something like Service account like this from OAuth2 specs
> http://tools.ietf.org/html/rfc6749#page-40 ? We don't have that yet, but
> there are plans to support it afaik.
>
>
>
>
> Yes, I was talking about secction 4.4 Client Credentials Grant. Any idea
> about when it will be implemented?
I can't give you and exact date, but it's becoming more and more of a priority so should be within a few months. We also plan to add cert based authentication for clients.
In the mean-time you can work-around this issue by creating a user on behalf of the client and use Resource Owner Password Credentials Grant (section #4.3). Look at 'examples/preconfigured-demo/admin-access' in the download for an example.
>
>
>
>
>
>
> 2 - If we make a request to an Application (Resource Server) with an access
> token and this Application needs to talk to another protected Application to
> form the response to the client, how does the first Application
> authenticates to the second Application? Does Keycloak implements something
> like Chain Grant Type Profile[2]?
> yes, that is doable. We have an example where we have frontend application
> like 'customer-portal', which is able to retrieve accessToken from keycloak
> like here:
> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48
> and then use this accessToken to send request to backend application
> 'database-service' in Authorization header
> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L54
> . Database-service is then able to authenticate the token.
>
> Currently our database-service is directly serving requests and send back
> data, but it shouldn't be a problem to add another application to the chain,
> so that database-service will send the token again to another app like
> 'real-database-service', which will return data and those data will be sent
> back to the original frontent requestor (customer-portal). Is it something
> what you meant?
>
> Thats exactly what I meant. I will take a look at the example.
>
> Thank you very much.
>
>
>
>
>
> Marek
>
>
>
>
> Thanks in advance.
>
>
> _______________________________________________
> keycloak-user mailing list keycloak-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user