4:19 a.m.
We are implementing a micro services architecture with services written in
Spring/Vertx and .NET Core.
So essentially these services are Resource Servers protecting resources and
according to documentation resource servers are also clients in Keycloak.
We have a few front end apps and 2 mobile apps for android and iphone which
will also be clients in Keycloak.
Questions
1) Should the front end apps and mobile apps be public client in Keycloak?
2) If each micro service which is a resource server is a client with
credentials, how does access token generated for single clientid work
across multiple micro services?
Not sure how to tie it all together, thanks for your help.
Chirdeep
7:17 a.m.
On Wed, Jul 18, 2018 at 6:19 AM, Chirdeep Tomar <chirdeep.tomar(a)gmail.com>
wrote:
We are implementing a micro services architecture with services
written in
Spring/Vertx and .NET Core.
So essentially these services are Resource Servers protecting resources and
according to documentation resource servers are also clients in Keycloak.
We have a few front end apps and 2 mobile apps for android and iphone which
will also be clients in Keycloak.
Questions
1) Should the front end apps and mobile apps be public client in Keycloak?
Yes.
2) If each micro service which is a resource server is a client with
credentials, how does access token generated for single clientid work
across multiple micro services?
I think you are talking about service chaining ? In case, Client A ->
Service A -> Service B ?
The expected flow is that once Client A is issued with an access token, the
token should have a specific set of audiences, for instance, Service A. In
case Service A needs to access Service B, you should be able to use token
exchange to obtain a new token to access Service B from Service A.
I think most people today is just re-using access tokens to access multiple
services, which is not correct. We also have some work being done to better
support audiences in token.
Not sure how to tie it all together, thanks for your help.
Chirdeep
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2283
days inactive
2283
days old
1 comments
2 participants
participants (2)
-
Chirdeep Tomar -
Pedro Igor Silva