[keycloak-user] Recommendations for protecting REST service with bearer token and basic auth
stian at redhat.com
Mon Nov 24 03:27:42 EST 2014
There's two separate issues here:
* Offline tokens - the ability for a client to obtain a token that is long lived and survives a user logout
* Service accounts - an account for non-humans, if an application can authenticate as itself (to swap code-to-token) using a secret or certificate it shouldn't need to also authenticate as the "user"
----- Original Message -----
> From: "Juraci Paixão Kröhling" <juraci at kroehling.de>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 21 November, 2014 6:15:24 PM
> Subject: Re: [keycloak-user] Recommendations for protecting REST service with bearer token and basic auth
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> On 11/21/2014 05:55 PM, Bill Burke wrote:
> > Why does a "service account" have to be anything special? Why
> > can't it be a regular user?
> I don't know much about the internals and the implementation of the
> user model in KC, but from where I'm standing, it can very well be.
> So, to recap, this is how the flow for an external client (bash
> script) would be:
> - - user creates an oauth client with refresh token policy set to never
> - - bash reads the keycloak.json and refresh token from somewhere
> - - bash uses the refresh token to obtain an access token from KC server
> - - bash uses the access token to make the request to the backend
> On the first run:
> - - bash (or another CLI) builds an URL
> - - user opens this URL, logs in and gets a code from KC server
> - - user adds this code to the bash/CLI
> - - bash/CLI exchanges this code for a refresh token, persisting it
> It seems that the only change required then is to move the token
> policy to the apps/oauth clients. If so, I'll then start scratching a
> proposal for this change. And perhaps a shell/native (Linux) client
> that would handle the boiler plate above.
> - - Juca.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> -----END PGP SIGNATURE-----
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
More information about the keycloak-user