[keycloak-user] Recommendations for protecting REST service with bearer token and basic auth

Stian Thorgersen stian at redhat.com
Fri Nov 21 10:37:37 EST 2014 


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 21 November, 2014 2:47:39 PM
> Subject: Re: [keycloak-user] Recommendations for protecting REST service with bearer token and basic auth
> 
> Why do you need to do something that complicated?  You could have
> per-app/oauth-client token policies.  The token policy could have a
> refresh token expiration policy of never.  Then everything just hooks
> into existing screens and architecture.

That'd be good as well, but it would still expire when user session expires. You need to have an option to let a client create tokens that are not linked to the user session. Also, for oauth clients the grant page should say that the app is requesting offline access. Having an offline toggle and per-app expiration would work at least initially, but I think in the future we'll have to support scope query param.

> 
> On 11/21/2014 6:22 AM, Stian Thorgersen wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Juraci Paixão Kröhling" <juraci at kroehling.de>
> >> To: keycloak-user at lists.jboss.org
> >> Sent: Friday, 21 November, 2014 11:29:09 AM
> >> Subject: Re: [keycloak-user] Recommendations for protecting REST service
> >> with bearer token and basic auth
> >>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA512
> >>
> >> On 11/19/2014 05:16 PM, Stian Thorgersen wrote:
> >>> ----- Original Message -----
> >>>> From: "Bill Burke" <bburke at redhat.com> To:
> >>>> keycloak-user at lists.jboss.org Sent: Wednesday, 19 November, 2014
> >>>> 4:01:36 PM Subject: Re: [keycloak-user] Recommendations for
> >>>> protecting REST service with bearer token and basic auth
> >>>>
> >>>> You guys are basically describing certificate auth.
> >>>
> >>> Yes for the one use-case I described (where the app is the user).
> >>> There's also the case where a user gives an application permanent
> >>> (offline) access to their account. In Google they have a special
> >>> scope you can request for this
> >>> (https://developers.google.com/accounts/docs/OAuth2WebServer#offline).
> >>>
> >>>
> >> If there are no objections, I'll start scratching an implementation of
> >> this offline mode, as something on this direction will be needed for
> >> the project I'm helping with.
> >
> > Sure, that would be great. There's a fair amount of work here though:
> >
> > 1. Account management needs to view clients with access and allow revoking
> > individual clients
> > 2. Need some built-in special role for apps to request offline tokens
> > 3. Need to support scope param to actually request the above role
> > 4. Need to support client sessions that are not connected to a user session
> > - and also clean-up of these
> > 5. Probably need an expiration for offline tokens, which needs to be
> > configurable through the admin console
> >
> >>
> >> Ideally, the project would benefit from using service accounts instead
> >> of acting on behalf of an specific user, but as there will be only one
> >> account per user/realm, this would do for now :-)
> >>
> >> - - Juca.
> >>
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1
> >>
> >> iQEcBAEBCgAGBQJUbxP1AAoJEDnJtskdmzLM7IQH/RFJ5Cf0reec9CgMjxO1D1tt
> >> lgS20P6d17Ki0UocoNidp59YdP5TRKycYbCMchbfTZu4In+9gEBzsdxK+4acprPF
> >> sp6WCa1Comc8vFCX8Or9gxUEDRH+axWR4t/bIsBf23IvXQ1BUIVg0s21RxFoMhPP
> >> fGHoaAEGthez6Dhr7GSwr46FEO2xP94jHJ7nAs67DNeh0vvZmQ1iynBkF3NmfQzP
> >> dMCjny4i2D/UZCcSr72ud0DnoAi//vIQ86KObrqsiHV2eOhWYfHB9TozC/P1lKVM
> >> 5D8qByrnxtmgA/nYNuRFmKTYf2n6MZTU5AlSFJZr4svU6isl2zwkpczhwDRshjc=
> >> =x/UK
> >> -----END PGP SIGNATURE-----
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list