[keycloak-user] Questions about keycloak
Ruben Lopez
rubenlop88 at gmail.com
Thu Dec 11 12:07:22 EST 2014
I have a couple more questions.
1) Will you implement the features requested in KEYCLOAK-402 and
KEYCLOAK-405? If so, when?
2) Are there any plans to support Integrated Windows Authentication?
Thanks :)
2014-11-28 5:04 GMT-03:00 Stian Thorgersen <stian at redhat.com>:
>
>
> ----- Original Message -----
> > From: "Ruben Lopez" <rubenlop88 at gmail.com>
> > To: "Marek Posolda" <mposolda at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Thursday, 27 November, 2014 5:37:45 PM
> > Subject: Re: [keycloak-user] Questions about keycloak
> >
> > Hi Marek,
> >
> > 2014-11-27 12:38 GMT-03:00 Marek Posolda < mposolda at redhat.com > :
> >
> >
> >
> >
> >
> > 1 - Is there any way to obtain an access token for an OAuth Client via
> Client
> > Credentials[1]?
> > You mean something like Service account like this from OAuth2 specs
> > http://tools.ietf.org/html/rfc6749#page-40 ? We don't have that yet, but
> > there are plans to support it afaik.
> >
> >
> >
> >
> > Yes, I was talking about secction 4.4 Client Credentials Grant. Any idea
> > about when it will be implemented?
>
> I can't give you and exact date, but it's becoming more and more of a
> priority so should be within a few months. We also plan to add cert based
> authentication for clients.
>
> In the mean-time you can work-around this issue by creating a user on
> behalf of the client and use Resource Owner Password Credentials Grant
> (section #4.3). Look at 'examples/preconfigured-demo/admin-access' in the
> download for an example.
>
> >
> >
> >
> >
> >
> >
> > 2 - If we make a request to an Application (Resource Server) with an
> access
> > token and this Application needs to talk to another protected
> Application to
> > form the response to the client, how does the first Application
> > authenticates to the second Application? Does Keycloak implements
> something
> > like Chain Grant Type Profile[2]?
> > yes, that is doable. We have an example where we have frontend
> application
> > like 'customer-portal', which is able to retrieve accessToken from
> keycloak
> > like here:
> >
> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48
> > and then use this accessToken to send request to backend application
> > 'database-service' in Authorization header
> >
> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L54
> > . Database-service is then able to authenticate the token.
> >
> > Currently our database-service is directly serving requests and send back
> > data, but it shouldn't be a problem to add another application to the
> chain,
> > so that database-service will send the token again to another app like
> > 'real-database-service', which will return data and those data will be
> sent
> > back to the original frontent requestor (customer-portal). Is it
> something
> > what you meant?
> >
> > Thats exactly what I meant. I will take a look at the example.
> >
> > Thank you very much.
> >
> >
> >
> >
> >
> > Marek
> >
> >
> >
> >
> > Thanks in advance.
> >
> >
> > _______________________________________________
> > keycloak-user mailing list keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141211/ea80eb11/attachment.html
More information about the keycloak-user
mailing list