[keycloak-user] Questions about keycloak
Marek Posolda
mposolda at redhat.com
Tue Dec 16 11:55:45 EST 2014
If you are interested in just Keycloak 1.0 server running in cluster and
not secured applications themselves, then just those 2 things are required:
1) Use 'jpa' or 'mongo' as userSession provider in keycloak-server.json
and use shared database among all cluster nodes. By default keycloak is
using 'mem' provider, which means that User sessions are stored in
memory of particular keycloak server. This performs well, but is not
cluster aware.
2) Disable both realm and user cache in admin console, as caches are
also stored just in local memory.
Both (1) and (2) should ensure that your keycloak server will be
cluster-safe, but they are quite bad for performance. From 1.1.0.Beta1
we have infinispan provider for user sessions, realm caches and user
caches. This ensures both cluster-safety and good performance.
Marek
On 16.12.2014 17:18, Ruben Lopez wrote:
> Thanks for the quick answers!
>
> I couldn't find documentation about how to install Keycloak 1.0 in a
> clustered environment. I know that Keycloak 1.1 does have
> documentation about this but it is still in beta and the company I
> work for needs to know if there is a similar mechanism that can be
> implemented with Keycloak 1.0.
>
> El Fri Dec 12 2014 at 6:44:00 AM, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> escribió:
>
> On 11.12.2014 18:07, Ruben Lopez wrote:
>> I have a couple more questions.
>>
>> 1) Will you implement the features requested in KEYCLOAK-402 and
>> KEYCLOAK-405? If so, when?
> Hard to say exactly, but looks that it will be quite soon as it is
> requirement from more people and potential customers . Hopefully
> in terms of weeks/months, but hard to promise exact date... I
> think it would require enhance our existing password policies, but
> those would be a bit harder to add than current simple policies as
> it will also require to store some info in database (like password
> expiration time and older passwords)
>
>> 2) Are there any plans to support Integrated Windows Authentication?
> You mean login to KC when user is already logged in windows
> domain? Yes, we have plan for add Kerberos/spnego soon and I think
> that it should solve windows domain authentication too. Hopefully
> around January.
>
>
> Marek
>
>>
>> Thanks :)
>>
>> 2014-11-28 5:04 GMT-03:00 Stian Thorgersen <stian at redhat.com
>> <mailto:stian at redhat.com>>:
>>
>>
>>
>> ----- Original Message -----
>> > From: "Ruben Lopez" <rubenlop88 at gmail.com
>> <mailto:rubenlop88 at gmail.com>>
>> > To: "Marek Posolda" <mposolda at redhat.com
>> <mailto:mposolda at redhat.com>>
>> > Cc: keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> > Sent: Thursday, 27 November, 2014 5:37:45 PM
>> > Subject: Re: [keycloak-user] Questions about keycloak
>> >
>> > Hi Marek,
>> >
>> > 2014-11-27 12:38 GMT-03:00 Marek Posolda <
>> mposolda at redhat.com <mailto:mposolda at redhat.com> > :
>> >
>> >
>> >
>> >
>> >
>> > 1 - Is there any way to obtain an access token for an OAuth
>> Client via Client
>> > Credentials[1]?
>> > You mean something like Service account like this from
>> OAuth2 specs
>> > http://tools.ietf.org/html/rfc6749#page-40 ? We don't have
>> that yet, but
>> > there are plans to support it afaik.
>> >
>> >
>> >
>> >
>> > Yes, I was talking about secction 4.4 Client Credentials
>> Grant. Any idea
>> > about when it will be implemented?
>>
>> I can't give you and exact date, but it's becoming more and
>> more of a priority so should be within a few months. We also
>> plan to add cert based authentication for clients.
>>
>> In the mean-time you can work-around this issue by creating a
>> user on behalf of the client and use Resource Owner Password
>> Credentials Grant (section #4.3). Look at
>> 'examples/preconfigured-demo/admin-access' in the download
>> for an example.
>>
>> >
>> >
>> >
>> >
>> >
>> >
>> > 2 - If we make a request to an Application (Resource
>> Server) with an access
>> > token and this Application needs to talk to another
>> protected Application to
>> > form the response to the client, how does the first Application
>> > authenticates to the second Application? Does Keycloak
>> implements something
>> > like Chain Grant Type Profile[2]?
>> > yes, that is doable. We have an example where we have
>> frontend application
>> > like 'customer-portal', which is able to retrieve
>> accessToken from keycloak
>> > like here:
>> >
>> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48
>> > and then use this accessToken to send request to backend
>> application
>> > 'database-service' in Authorization header
>> >
>> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L54
>> > . Database-service is then able to authenticate the token.
>> >
>> > Currently our database-service is directly serving requests
>> and send back
>> > data, but it shouldn't be a problem to add another
>> application to the chain,
>> > so that database-service will send the token again to
>> another app like
>> > 'real-database-service', which will return data and those
>> data will be sent
>> > back to the original frontent requestor (customer-portal).
>> Is it something
>> > what you meant?
>> >
>> > Thats exactly what I meant. I will take a look at the example.
>> >
>> > Thank you very much.
>> >
>> >
>> >
>> >
>> >
>> > Marek
>> >
>> >
>> >
>> >
>> > Thanks in advance.
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141216/414ae5d6/attachment-0001.html
More information about the keycloak-user
mailing list