Hi,
Stian Thorgersen <stian(a)redhat.com> wrote on 24/06/2015 15:00:18:
We'll be adding service accounts in the near future, that'll
provide
a way for clients to obtain a token on behalf of themselves. There
will be a special linked user to the client. Clients can obtain this
through the client credential grant (see oauth2 for more details)
and use a secret or pub/priv keypair to authenticate.
that sounds great.
For a client to get a token on behalf of a user the user will have
to either enter username/pass in a cli and you'd use resource owner
credential grant (again see oauth2 for more details) or you'd use
the normal redirect based flow.
For the above once we add offline tokens this will only be required
as an initial setup as the "refresh token" will not expire until the
user goes in and revokes access to the appliction.
That's actually the initial setup that I would like to avoid. If we talk
about social websites this flow makes absolute sense, as I as the user
want to control what data can be accessed by external services. However,
in an enterprise application the user shouldn't be bothered with single
microservices IMO. Therefore, when I ask the user to authorise some
arbitrary backend service to access some data, the user will probably be
surprised or, even worse, confused.
Currently I only see three possible solutions:
1. Do it as you propose and implement the OAuth flow.
2. Add some additional API and options to allow clients to request access
tokens on behalf of users (maybe with reduced privileges only).
3. Somehow let the service figure out the access rights of the user, e.g.
by using the admin API (haven't really checked whether that would work at
all).
I don't like 3 because a) I don't want to provide admin privileges to my
services and b) I don't like the fact that authorisation would work
differently in that case. I definitely prefer 2 over 1, because I think it
will provide the best user experience. My hope was that there is some
other option to handle that use case that I wasn't aware of.
As a general question, would such a feature fit into keycloak, or is out
of consideration because it is not standardized?
best
Carsten
--------------------------------------------------------------------------------------------------------------------------------------------
Carsten Saathoff - KISTERS AG - Stau 75 - 26122 Oldenburg - Germany
Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters |
Aufsichtsratsvorsitzender: Dr. Thomas Klevers
Phone: +49 441 93602 -257 | Fax: +49 441 93602 -222 | E-Mail: Carsten.Saathoff(a)kisters.de
| WWW:
http://www.kisters.de
--------------------------------------------------------------------------------------------------------------------------------------------
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie
nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren
Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie
die unbefugte Weitergabe dieser Mail ist nicht gestattet.
This e-mail may contain confidential and/or privileged information. If you are not the
intended recipient (or have received this e-mail in error) please notify the sender
immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution
of the material in this e-mail is strictly forbidden.