[keycloak-user] Client Credentials grant Question
Marek Posolda
mposolda at redhat.com
Tue Aug 18 06:08:13 EDT 2015
Right now pluggable client authentication is already available in
master, so there is already possibility to use different mechanism for
authenticating clients than just default client_id + client_secret .
I was thinking about adding support for authenticating with kerberos
keytab in a way, that clients would need to be already registered in
keycloak. Once client is authenticated through kerberos, clientId is
read from gssContext (gssContext.getSrcName() ) and corresponding client
is found in Keycloak, so all other info including roles in the access
token will be filled from the configured "Service Account roles" for the
particular client.
Alternatively, in next version you can add your own ClientAuthenticator
implementation and implement authentication with kerberos keytab however
you want. For example you would just register 1 Client in keycloak admin
console. Then in your authenticator, when the client is successfully
authenticated with Kerberos, you will always use this registered
keycloak client but you will reuse the gssContext.getSrcName() to know
which actual client from your 1000 clients was used. Then you may also
need some custom protocol mapper implementation, which will allow you to
map the roles into accessToken based on which of your clients was used etc.
Marek
Dne 18.8.2015 v 08:31 Stian Thorgersen napsal(a):
> We would like to add support for authenticating with Kerberos keytab to clients, but not sure when we can do it.
>
> Only options to avoid manually registering clients with Keycloak at the moment would be to extend the realm store to make it look in an external source as well (we warned this SPI may change significantly in future), or you could use the rest admin api to do batch imports (you could also schedule this daily/weekly or something). Beyond we are planning to allow custom authentication flows for clients, but we have to much on our plate at the moment to also enable external sources for client config.
>
> ----- Original Message -----
>> From: "Raghu Prabhala" <prabhalar at yahoo.com>
>> To: "Keycloak-user" <keycloak-user at lists.jboss.org>
>> Sent: Tuesday, 18 August, 2015 5:20:12 AM
>> Subject: [keycloak-user] Client Credentials grant Question
>>
>> Bill/Stian,
>>
>> Is it possible to use an external system to authenticate a client for the
>> client credentials grant option? In our organization, we have a large number
>> of applications that interact with each other using kerberos accounts.
>> Today, a client application 1 will use its kerberos id and keytab to
>> authenticate against MIT kerberos and get a custom token which is passed to
>> client application 2 which then validates that token and grants access to
>> the first application. Now if we want to use Keycloak's client credentials
>> grant, the client application 1 is expected to have its client_id and secret
>> registered with keycloak. It is not possible for all our existing
>> applications to discard the current Kerberos account and go with this new
>> client_id and secret required by Keycloak. So we are wondering, if there is
>> any way, we can avoid registering a client application with keycloak and use
>> our existing Kerberos infrastructure to do the client authentication and
>> then provide the access token based on the client credentials grant option.
>> If that is not possible, any pointers on how we can use Keycloak without
>> requiring all our thousands of apps to register with keycloak?
>>
>> Thanks in advance,
>> Raghu
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list