[keycloak-dev] Service accounts - version 1 commited

Marek Posolda mposolda at redhat.com
Wed Jul 22 05:41:34 EDT 2015

Few points to how it works now:

- There is new boolean flag setServiceAccountsEnabled on ClientModel. 
That's the only model change

- There is new tab "Service accounts" for confidential clients in admin 
console . Right now, service account authentication is available just 
for confidential clients, not bearer-only or public clients. The tab 
contains just one on/off switch for enable/disable service account 
authentication support. It's disabled by default. I think for the next 
release we can add the table with Authentication mechanisms for clients, 
so admin can choose for example that Client Credentials Grant is 
"DISABLED" and Certificate authentication is "ALTERNATIVE" etc. Right 
now, the client authentication is available just through OAuth2 Client 
Credentials Grant (authentication with clientId + client secret)

- When service account enabled for client "foo", new user 
"service-account-foo" is created . I've added the "service-account-" 
prefix just to make more visible that this is not normal user, but user 
dedicated to service account. The user has also attribute with client DB 
ID (It's really DB ID, not clientId) and the binding between client and 
user is through this attribute. Hence when admin renames clientId of 
this client or renames the username of service account user, the binding 
still works. The roles available to this user are used in the token 
dedicated to service account.

- The existing TokenEndpoint is reused for service account 
authentication. Just new grantType "client_credentials" is added as per 
OAuth2 specs.

- The token retrieved through service account has few additional 
attributes available in otherClaims(). Those are added by protocol 
mappers, which are created when service account authentication is 
enabled. Right now, it's just clientID, clientHost and client address 
(host and address are retrieved dynamically from ClientConnection used 
during auth request to TokenEndpoint). Should we have more info 
available in service account access token?

- Sample app "service-account-example" added to the demo

- Only missing piece for the 1.4 release seems to be docs unless you 
have additional feedback.



More information about the keycloak-dev mailing list