[keycloak-user] Client Credentials grant Question
Stian Thorgersen
stian at redhat.com
Tue Aug 18 02:31:03 EDT 2015
We would like to add support for authenticating with Kerberos keytab to clients, but not sure when we can do it.
Only options to avoid manually registering clients with Keycloak at the moment would be to extend the realm store to make it look in an external source as well (we warned this SPI may change significantly in future), or you could use the rest admin api to do batch imports (you could also schedule this daily/weekly or something). Beyond we are planning to allow custom authentication flows for clients, but we have to much on our plate at the moment to also enable external sources for client config.
----- Original Message -----
> From: "Raghu Prabhala" <prabhalar at yahoo.com>
> To: "Keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Tuesday, 18 August, 2015 5:20:12 AM
> Subject: [keycloak-user] Client Credentials grant Question
>
> Bill/Stian,
>
> Is it possible to use an external system to authenticate a client for the
> client credentials grant option? In our organization, we have a large number
> of applications that interact with each other using kerberos accounts.
> Today, a client application 1 will use its kerberos id and keytab to
> authenticate against MIT kerberos and get a custom token which is passed to
> client application 2 which then validates that token and grants access to
> the first application. Now if we want to use Keycloak's client credentials
> grant, the client application 1 is expected to have its client_id and secret
> registered with keycloak. It is not possible for all our existing
> applications to discard the current Kerberos account and go with this new
> client_id and secret required by Keycloak. So we are wondering, if there is
> any way, we can avoid registering a client application with keycloak and use
> our existing Kerberos infrastructure to do the client authentication and
> then provide the access token based on the client credentials grant option.
> If that is not possible, any pointers on how we can use Keycloak without
> requiring all our thousands of apps to register with keycloak?
>
> Thanks in advance,
> Raghu
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list