[keycloak-user] Questions about keycloak
Ruben Lopez
rubenlop88 at gmail.com
Tue Dec 16 11:18:04 EST 2014
Thanks for the quick answers!
I couldn't find documentation about how to install Keycloak 1.0 in a
clustered environment. I know that Keycloak 1.1 does have documentation
about this but it is still in beta and the company I work for needs to know
if there is a similar mechanism that can be implemented with Keycloak 1.0.
El Fri Dec 12 2014 at 6:44:00 AM, Marek Posolda <mposolda at redhat.com>
escribió:
> On 11.12.2014 18:07, Ruben Lopez wrote:
>
> I have a couple more questions.
>
> 1) Will you implement the features requested in KEYCLOAK-402 and
> KEYCLOAK-405? If so, when?
>
> Hard to say exactly, but looks that it will be quite soon as it is
> requirement from more people and potential customers . Hopefully in terms
> of weeks/months, but hard to promise exact date... I think it would require
> enhance our existing password policies, but those would be a bit harder to
> add than current simple policies as it will also require to store some info
> in database (like password expiration time and older passwords)
>
> 2) Are there any plans to support Integrated Windows Authentication?
>
> You mean login to KC when user is already logged in windows domain? Yes,
> we have plan for add Kerberos/spnego soon and I think that it should solve
> windows domain authentication too. Hopefully around January.
>
>
> Marek
>
>
> Thanks :)
>
> 2014-11-28 5:04 GMT-03:00 Stian Thorgersen <stian at redhat.com>:
>
>>
>>
>> ----- Original Message -----
>> > From: "Ruben Lopez" <rubenlop88 at gmail.com>
>> > To: "Marek Posolda" <mposolda at redhat.com>
>> > Cc: keycloak-user at lists.jboss.org
>> > Sent: Thursday, 27 November, 2014 5:37:45 PM
>> > Subject: Re: [keycloak-user] Questions about keycloak
>> >
>> > Hi Marek,
>> >
>> > 2014-11-27 12:38 GMT-03:00 Marek Posolda < mposolda at redhat.com > :
>> >
>> >
>> >
>> >
>> >
>> > 1 - Is there any way to obtain an access token for an OAuth Client via
>> Client
>> > Credentials[1]?
>> > You mean something like Service account like this from OAuth2 specs
>> > http://tools.ietf.org/html/rfc6749#page-40 ? We don't have that yet,
>> but
>> > there are plans to support it afaik.
>> >
>> >
>> >
>> >
>> > Yes, I was talking about secction 4.4 Client Credentials Grant. Any idea
>> > about when it will be implemented?
>>
>> I can't give you and exact date, but it's becoming more and more of a
>> priority so should be within a few months. We also plan to add cert based
>> authentication for clients.
>>
>> In the mean-time you can work-around this issue by creating a user on
>> behalf of the client and use Resource Owner Password Credentials Grant
>> (section #4.3). Look at 'examples/preconfigured-demo/admin-access' in the
>> download for an example.
>>
>> >
>> >
>> >
>> >
>> >
>> >
>> > 2 - If we make a request to an Application (Resource Server) with an
>> access
>> > token and this Application needs to talk to another protected
>> Application to
>> > form the response to the client, how does the first Application
>> > authenticates to the second Application? Does Keycloak implements
>> something
>> > like Chain Grant Type Profile[2]?
>> > yes, that is doable. We have an example where we have frontend
>> application
>> > like 'customer-portal', which is able to retrieve accessToken from
>> keycloak
>> > like here:
>> >
>> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48
>> > and then use this accessToken to send request to backend application
>> > 'database-service' in Authorization header
>> >
>> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L54
>> > . Database-service is then able to authenticate the token.
>> >
>> > Currently our database-service is directly serving requests and send
>> back
>> > data, but it shouldn't be a problem to add another application to the
>> chain,
>> > so that database-service will send the token again to another app like
>> > 'real-database-service', which will return data and those data will be
>> sent
>> > back to the original frontent requestor (customer-portal). Is it
>> something
>> > what you meant?
>> >
>> > Thats exactly what I meant. I will take a look at the example.
>> >
>> > Thank you very much.
>> >
>> >
>> >
>> >
>> >
>> > Marek
>> >
>> >
>> >
>> >
>> > Thanks in advance.
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141216/3b69c879/attachment-0001.html
More information about the keycloak-user
mailing list