Hi,
We are evaluating KeyCloak to be our SSO server, and we have a few questions regarding the
offline token usage.
First our high level use case is as follows:
We have multi-tenancy applications, each tenant will have its own realm (which means the
same clients will be defined for each realm).
One of the applications has 3 authentication scenarios:
1. User using SDK flow to access the application (by code)
2. Offline job
3. External micro service (not registered in KeyCloak) that needs to access our
application micro service
4. UI login
We thought to use offline token for the first three, and define a single client for UI and
micro services.
Does our approach make sense ? specially regarding the realm per tenant and the fact that
we will have to create the same clients for each realm,
The offline token usage for the authentication flows, and the single client for the UI and
micro service.
Regarding the offline tokens - why are they per client ? is it mean that when using the
client offline token (and getting the real token from KeyCloak) we will not be able to use
it for other client (within the realm) micro service ?
Also how can we generate them for each of the following cases (also described above):
1. User - should manually add the token to his code, so we thought to provide it within
the application, however how can we generate the offline token to already logged in user ?
we would like to avoid generating the offline token to all users and to use separate
offline login page.
2. Offline job - the offline job which is cross realms will use special operator realm,
the token will be generated manually by the admin which will stored it in the file system
for the offline job usage, how can the admin generate this token ? can it be done in the
admin console ? if not I guess we will have to create a service that logs him to the
application and generate the token, is there an alternative ?
3. Micro service - it's very similar flow to the offline job only that the admin
will have to create offline token per realm.
I hope it's not too much [
https://issues.jboss.org/images/icons/emoticons/smile.png]
and any advice will be highly appreciated.
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from
disclosure, and may be privileged. The information is intended to be conveyed only to the
designated recipient(s) of the message. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, use, distribution or copying of
this communication is strictly prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by replying to the message and
deleting it from your computer. Thank you.