Hi,
On 27.11.2014 16:21, Ruben Lopez wrote:
Hi,
Our
organization is currently evaluating the use of Keycloak and
we have some questions:
1
- Is there any way to obtain an access token for an OAuth
Client via Client Credentials[1]?
You mean something like Service account like this from OAuth2 specs
http://tools.ietf.org/html/rfc6749#page-40 ? We don't have that yet,
but there are plans to support it afaik.
2
- If we make a request to an Application (Resource Server)
with an access token and this Application needs to talk to
another protected Application to form the response to the
client, how does the first Application authenticates to the
second Application? Does Keycloak implements something like
Chain Grant Type Profile[2]?
yes, that is doable. We have an example where we have frontend
application like 'customer-portal', which is able to retrieve
accessToken from keycloak like here:
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48
and then use this accessToken to send request to backend application
'database-service' in Authorization header
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L54
. Database-service is then able to authenticate the token.
Currently our database-service is directly serving requests and send
back data, but it shouldn't be a problem to add another application
to the chain, so that database-service will send the token again to
another app like 'real-database-service', which will return data and
those data will be sent back to the original frontent requestor
(customer-portal). Is it something what you meant?
Marek
Thanks
in advance.
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user