[keycloak-user] Questions about keycloak
Stian Thorgersen
stian at redhat.com
Wed Dec 17 03:06:47 EST 2014
Keycloak 1.1 will be out in beginning of January, and as Marek said it'll have much improved clustering support over 1.0
----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Ruben Lopez" <rubenlop88 at gmail.com>, "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 16 December, 2014 5:55:45 PM
> Subject: Re: [keycloak-user] Questions about keycloak
>
> If you are interested in just Keycloak 1.0 server running in cluster and
> not secured applications themselves, then just those 2 things are required:
> 1) Use 'jpa' or 'mongo' as userSession provider in keycloak-server.json
> and use shared database among all cluster nodes. By default keycloak is
> using 'mem' provider, which means that User sessions are stored in
> memory of particular keycloak server. This performs well, but is not
> cluster aware.
> 2) Disable both realm and user cache in admin console, as caches are
> also stored just in local memory.
>
> Both (1) and (2) should ensure that your keycloak server will be
> cluster-safe, but they are quite bad for performance. From 1.1.0.Beta1
> we have infinispan provider for user sessions, realm caches and user
> caches. This ensures both cluster-safety and good performance.
>
> Marek
>
> On 16.12.2014 17:18, Ruben Lopez wrote:
> > Thanks for the quick answers!
> >
> > I couldn't find documentation about how to install Keycloak 1.0 in a
> > clustered environment. I know that Keycloak 1.1 does have
> > documentation about this but it is still in beta and the company I
> > work for needs to know if there is a similar mechanism that can be
> > implemented with Keycloak 1.0.
> >
> > El Fri Dec 12 2014 at 6:44:00 AM, Marek Posolda <mposolda at redhat.com
> > <mailto:mposolda at redhat.com>> escribió:
> >
> > On 11.12.2014 18:07, Ruben Lopez wrote:
> >> I have a couple more questions.
> >>
> >> 1) Will you implement the features requested in KEYCLOAK-402 and
> >> KEYCLOAK-405? If so, when?
> > Hard to say exactly, but looks that it will be quite soon as it is
> > requirement from more people and potential customers . Hopefully
> > in terms of weeks/months, but hard to promise exact date... I
> > think it would require enhance our existing password policies, but
> > those would be a bit harder to add than current simple policies as
> > it will also require to store some info in database (like password
> > expiration time and older passwords)
> >
> >> 2) Are there any plans to support Integrated Windows Authentication?
> > You mean login to KC when user is already logged in windows
> > domain? Yes, we have plan for add Kerberos/spnego soon and I think
> > that it should solve windows domain authentication too. Hopefully
> > around January.
> >
> >
> > Marek
> >
> >>
> >> Thanks :)
> >>
> >> 2014-11-28 5:04 GMT-03:00 Stian Thorgersen <stian at redhat.com
> >> <mailto:stian at redhat.com>>:
> >>
> >>
> >>
> >> ----- Original Message -----
> >> > From: "Ruben Lopez" <rubenlop88 at gmail.com
> >> <mailto:rubenlop88 at gmail.com>>
> >> > To: "Marek Posolda" <mposolda at redhat.com
> >> <mailto:mposolda at redhat.com>>
> >> > Cc: keycloak-user at lists.jboss.org
> >> <mailto:keycloak-user at lists.jboss.org>
> >> > Sent: Thursday, 27 November, 2014 5:37:45 PM
> >> > Subject: Re: [keycloak-user] Questions about keycloak
> >> >
> >> > Hi Marek,
> >> >
> >> > 2014-11-27 12:38 GMT-03:00 Marek Posolda <
> >> mposolda at redhat.com <mailto:mposolda at redhat.com> > :
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > 1 - Is there any way to obtain an access token for an OAuth
> >> Client via Client
> >> > Credentials[1]?
> >> > You mean something like Service account like this from
> >> OAuth2 specs
> >> > http://tools.ietf.org/html/rfc6749#page-40 ? We don't have
> >> that yet, but
> >> > there are plans to support it afaik.
> >> >
> >> >
> >> >
> >> >
> >> > Yes, I was talking about secction 4.4 Client Credentials
> >> Grant. Any idea
> >> > about when it will be implemented?
> >>
> >> I can't give you and exact date, but it's becoming more and
> >> more of a priority so should be within a few months. We also
> >> plan to add cert based authentication for clients.
> >>
> >> In the mean-time you can work-around this issue by creating a
> >> user on behalf of the client and use Resource Owner Password
> >> Credentials Grant (section #4.3). Look at
> >> 'examples/preconfigured-demo/admin-access' in the download
> >> for an example.
> >>
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > 2 - If we make a request to an Application (Resource
> >> Server) with an access
> >> > token and this Application needs to talk to another
> >> protected Application to
> >> > form the response to the client, how does the first Application
> >> > authenticates to the second Application? Does Keycloak
> >> implements something
> >> > like Chain Grant Type Profile[2]?
> >> > yes, that is doable. We have an example where we have
> >> frontend application
> >> > like 'customer-portal', which is able to retrieve
> >> accessToken from keycloak
> >> > like here:
> >> >
> >> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48
> >> > and then use this accessToken to send request to backend
> >> application
> >> > 'database-service' in Authorization header
> >> >
> >> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L54
> >> > . Database-service is then able to authenticate the token.
> >> >
> >> > Currently our database-service is directly serving requests
> >> and send back
> >> > data, but it shouldn't be a problem to add another
> >> application to the chain,
> >> > so that database-service will send the token again to
> >> another app like
> >> > 'real-database-service', which will return data and those
> >> data will be sent
> >> > back to the original frontent requestor (customer-portal).
> >> Is it something
> >> > what you meant?
> >> >
> >> > Thats exactly what I meant. I will take a look at the example.
> >> >
> >> > Thank you very much.
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > Marek
> >> >
> >> >
> >> >
> >> >
> >> > Thanks in advance.
> >> >
> >> >
> >> > _______________________________________________
> >> > keycloak-user mailing list keycloak-user at lists.jboss.org
> >> <mailto:keycloak-user at lists.jboss.org>
> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > keycloak-user mailing list
> >> > keycloak-user at lists.jboss.org
> >> <mailto:keycloak-user at lists.jboss.org>
> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >>
> >
>
>
More information about the keycloak-user
mailing list