[keycloak-user] Questions about keycloak

Marek Posolda mposolda at redhat.com
Thu Nov 27 10:38:08 EST 2014


On 27.11.2014 16:21, Ruben Lopez wrote:
> Hi,
> Our organization is currently evaluating the use of Keycloak and we 
> have some questions:
> 1 - Is there any way to obtain an access token for an OAuth Client via 
> Client Credentials[1]?
You mean something like Service account like this from OAuth2 specs 
http://tools.ietf.org/html/rfc6749#page-40 ? We don't have that yet, but 
there are plans to support it afaik.
> 2 - If we make a request to an Application (Resource Server) with an 
> access token and this Application needs to talk to another protected 
> Application to form the response to the client, how does the first 
> Application authenticates to the second Application? Does Keycloak 
> implements something like Chain Grant Type Profile[2]?
yes, that is doable. We have an example where we have frontend 
application like 'customer-portal', which is able to retrieve 
accessToken from keycloak like here: 
and then use this accessToken to send request to backend application 
'database-service' in Authorization header 
. Database-service is then able to authenticate the token.

Currently our database-service is directly serving requests and send 
back data, but it shouldn't be a problem to add another application to 
the chain, so that database-service will send the token again to another 
app like 'real-database-service', which will return data and those data 
will be sent back to the original frontent requestor (customer-portal). 
Is it something what you meant?

> Thanks in advance.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141127/6b1eda09/attachment.html 

More information about the keycloak-user mailing list