It would make sense for us to add something similar to Google's service account
). It let's you
create a special "user" that is associated with an application, and you can
authenticate the client/user at the same time with one set of credentials.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
Sent: Tuesday, 12 August, 2014 6:13:21 PM
Subject: Re: [keycloak-user] Direct Access Grants & 'Client Credentials'
OAuth2 grant type
Right now we require you to create a user and give permissions to that
user. Not sure if we'll add client credentials grant as it would
require having role mappings for clients and applications.
On 8/12/2014 11:40 AM, Schneider, John DODGE CONSULTING SERVICES, LLC wrote:
> Hi everyone,
> I’ve been evaluating the “Direct Access Grants” functionality of
> Keycloak. Overall, I think I can make it work for my use cases, but I
> do have a couple of concerns.
> Chapter 12 of the documentation compares Keycloak’s Direct Access Grants
> functionality to OAuth2’s “Resource Owner Password Credentials Grant.”
> However, if I understand the specification correctly, this grant type is
> only for using the resource owner’s credentials. What if we can’t
> authorize using the resource owner credentials, but need to authorize
> the client itself using the client id and secret alone? For this, we
> need support for the “Client Credentials Grant”. Is this planned for
> Keycloak 1.0?
> By adding the required “grant_type” parameter to the
> “tokens/grants/access” service endpoint, it seems like both the
> “password” and “client_credentials” could be supported, with the
> “client_credentials” grant type simply not requiring the username and
> password form parameters in the POST. Thoughts on this?
> keycloak-user mailing list
JBoss, a division of Red Hat
keycloak-user mailing list