5:02 a.m.
Hi,
what is the current best solution in Keycloak to support a scenario where
devices needs to authenticate using OAuth against an API?
At the time being, to simplify we use offline-refresh tokens and every
time, it the token is expired, generated out of that a new token.
In term of performance the trick we use is to cache the access token and
refresh it when needed with a background process.
This process, unfortunately, for some tiny computational devices can be
quite demanding and slow down the most important
goal of sending data to the API at given intervarls.
A better solution could be having a way to create never expiring access
tokens (or with a manually defined expired date), we understand
that may introduce security issues, but it would be only for specific
scenarios (and I doubt it will introduce more issues that the offline
token).
Feelings? Suggestions?
Cheers,
Federico
--
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/> - Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>
7:12 a.m.
Or you can use long-lived tokens (e.g: 1 week, 1 month) and reduce the
frequency your devices refresh tokens ...
On Wed, Sep 19, 2018 at 7:14 AM Federico Michele Facca <
federico.facca(a)martel-innovate.com> wrote:
Hi,
what is the current best solution in Keycloak to support a scenario where
devices needs to authenticate using OAuth against an API?
At the time being, to simplify we use offline-refresh tokens and every
time, it the token is expired, generated out of that a new token.
In term of performance the trick we use is to cache the access token and
refresh it when needed with a background process.
This process, unfortunately, for some tiny computational devices can be
quite demanding and slow down the most important
goal of sending data to the API at given intervarls.
A better solution could be having a way to create never expiring access
tokens (or with a manually defined expired date), we understand
that may introduce security issues, but it would be only for specific
scenarios (and I doubt it will introduce more issues that the offline
token).
Feelings? Suggestions?
Cheers,
Federico
--
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/> - Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:20 a.m.
Hi Pedro :)
My understanding (but I may be wrong) is that in this way I will affect the
whole realm not just a client. Correct?
Cheers,
Federico
On 19 September 2018 at 14:12, Pedro Igor Silva <psilva(a)redhat.com> wrote:
Or you can use long-lived tokens (e.g: 1 week, 1 month) and reduce
the
frequency your devices refresh tokens ...
On Wed, Sep 19, 2018 at 7:14 AM Federico Michele Facca <
federico.facca(a)martel-innovate.com> wrote:
> Hi,
> what is the current best solution in Keycloak to support a scenario where
> devices needs to authenticate using OAuth against an API?
>
> At the time being, to simplify we use offline-refresh tokens and every
> time, it the token is expired, generated out of that a new token.
>
> In term of performance the trick we use is to cache the access token and
> refresh it when needed with a background process.
> This process, unfortunately, for some tiny computational devices can be
> quite demanding and slow down the most important
> goal of sending data to the API at given intervarls.
>
> A better solution could be having a way to create never expiring access
> tokens (or with a manually defined expired date), we understand
> that may introduce security issues, but it would be only for specific
> scenarios (and I doubt it will introduce more issues that the offline
> token).
>
> Feelings? Suggestions?
>
> Cheers,
> Federico
>
> --
> *Dr. FEDERICO MICHELE FACCA*
> *Head of Martel Lab*
> 0041 78 807 58 38
> *Martel Innovate* <https://www.martel-innovate.com/> - Professional
> support for innovation projects
> Click to download our innovators' insights!
> <https://www.martel-innovate.com/premium-content/>
> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/> - Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>
7:26 a.m.
Hi,
Yeah, true. Although there are some discussions happening about overriding
token lifetime in clients. But yeah, right now any change at this regard
will affect all clients in your realm ...
On Wed, Sep 19, 2018 at 9:20 AM Federico Michele Facca <
federico.facca(a)martel-innovate.com> wrote:
Hi Pedro :)
My understanding (but I may be wrong) is that in this way I will affect
the whole realm not just a client. Correct?
Cheers,
Federico
On 19 September 2018 at 14:12, Pedro Igor Silva <psilva(a)redhat.com> wrote:
> Or you can use long-lived tokens (e.g: 1 week, 1 month) and reduce the
> frequency your devices refresh tokens ...
>
> On Wed, Sep 19, 2018 at 7:14 AM Federico Michele Facca <
> federico.facca(a)martel-innovate.com> wrote:
>
>> Hi,
>> what is the current best solution in Keycloak to support a scenario where
>> devices needs to authenticate using OAuth against an API?
>>
>> At the time being, to simplify we use offline-refresh tokens and every
>> time, it the token is expired, generated out of that a new token.
>>
>> In term of performance the trick we use is to cache the access token and
>> refresh it when needed with a background process.
>> This process, unfortunately, for some tiny computational devices can be
>> quite demanding and slow down the most important
>> goal of sending data to the API at given intervarls.
>>
>> A better solution could be having a way to create never expiring access
>> tokens (or with a manually defined expired date), we understand
>> that may introduce security issues, but it would be only for specific
>> scenarios (and I doubt it will introduce more issues that the offline
>> token).
>>
>> Feelings? Suggestions?
>>
>> Cheers,
>> Federico
>>
>> --
>> *Dr. FEDERICO MICHELE FACCA*
>> *Head of Martel Lab*
>> 0041 78 807 58 38
>> *Martel Innovate* <https://www.martel-innovate.com/> - Professional
>> support for innovation projects
>> Click to download our innovators' insights!
>> <https://www.martel-innovate.com/premium-content/>
>> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
--
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/> - Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>
9:14 a.m.
what about taking a similar approach to "access_offline" role?
having a role which is "infinite_token" that if granted and used as scope
in a request grants you a token that last until not revoked?
federico
On 19 September 2018 at 14:26, Pedro Igor Silva <psilva(a)redhat.com> wrote:
Hi,
Yeah, true. Although there are some discussions happening about overriding
token lifetime in clients. But yeah, right now any change at this regard
will affect all clients in your realm ...
On Wed, Sep 19, 2018 at 9:20 AM Federico Michele Facca <
federico.facca(a)martel-innovate.com> wrote:
> Hi Pedro :)
> My understanding (but I may be wrong) is that in this way I will affect
> the whole realm not just a client. Correct?
>
> Cheers,
> Federico
>
> On 19 September 2018 at 14:12, Pedro Igor Silva <psilva(a)redhat.com>
> wrote:
>
>> Or you can use long-lived tokens (e.g: 1 week, 1 month) and reduce the
>> frequency your devices refresh tokens ...
>>
>> On Wed, Sep 19, 2018 at 7:14 AM Federico Michele Facca <
>> federico.facca(a)martel-innovate.com> wrote:
>>
>>> Hi,
>>> what is the current best solution in Keycloak to support a scenario
>>> where
>>> devices needs to authenticate using OAuth against an API?
>>>
>>> At the time being, to simplify we use offline-refresh tokens and every
>>> time, it the token is expired, generated out of that a new token.
>>>
>>> In term of performance the trick we use is to cache the access token and
>>> refresh it when needed with a background process.
>>> This process, unfortunately, for some tiny computational devices can be
>>> quite demanding and slow down the most important
>>> goal of sending data to the API at given intervarls.
>>>
>>> A better solution could be having a way to create never expiring access
>>> tokens (or with a manually defined expired date), we understand
>>> that may introduce security issues, but it would be only for specific
>>> scenarios (and I doubt it will introduce more issues that the offline
>>> token).
>>>
>>> Feelings? Suggestions?
>>>
>>> Cheers,
>>> Federico
>>>
>>> --
>>> *Dr. FEDERICO MICHELE FACCA*
>>> *Head of Martel Lab*
>>> 0041 78 807 58 38
>>> *Martel Innovate* <https://www.martel-innovate.com/> - Professional
>>> support for innovation projects
>>> Click to download our innovators' insights!
>>> <https://www.martel-innovate.com/premium-content/>
>>> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>
>
> --
> *Dr. FEDERICO MICHELE FACCA*
> *Head of Martel Lab*
> 0041 78 807 58 38
> *Martel Innovate* <https://www.martel-innovate.com/> - Professional
> support for innovation projects
> Click to download our innovators' insights!
> <https://www.martel-innovate.com/premium-content/>
> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>
--
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/> - Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>
2276
days inactive
2276
days old
4 comments
2 participants
participants (2)
-
Federico Michele Facca -
Pedro Igor Silva