[keycloak-user] Client Credentials grant Question

Raghu Prabhala prabhalar at yahoo.com
Tue Aug 18 22:18:07 EDT 2015


Marek - Whatever you thought of implementing makes sense and that will probably meet our needs. For it to work, I am assuming that we will have to do a bulk registration of all our client applications, using the kerberos principal (probably without the realm info, something like "abcd" instead of "abcd at realm.com") as the client_id. Another assumption is that the normal client authentication (using client_id and client secret ) will also work. Is my understanding correct? If so, is it something that you can provide in the near future (1-2 months?)
On a different note, I had a quick look at your email about Client authentication. Even though I didn't really digest it, I think whatever you are planning to implement  (clients storing their private key with them and registering their public key with Keycloak) takes you one step (actually a giant step) closer to making keycloak compliant with FIDO. I can't wait to see these features which will make keycloak a great product.
Great job everyone :-)
Stian - All the options you suggested sound great and we can look into them if the above feature suggested by Marek cannot be provided in the near future.
Thanks once again,
Regards,Raghu
      From: Marek Posolda <mposolda at redhat.com>
 To: Stian Thorgersen <stian at redhat.com>; Raghu Prabhala <prabhalar at yahoo.com> 
Cc: Keycloak-user <keycloak-user at lists.jboss.org> 
 Sent: Tuesday, August 18, 2015 6:08 AM
 Subject: Re: [keycloak-user] Client Credentials grant Question
   
Right now pluggable client authentication is already available in 
master, so there is already possibility to use different mechanism for 
authenticating clients than just default client_id + client_secret .

I was thinking about adding support for authenticating with kerberos 
keytab in a way, that clients would need to be already registered in 
keycloak. Once client is authenticated through kerberos, clientId is 
read from gssContext (gssContext.getSrcName() ) and corresponding client 
is found in Keycloak, so all other info including roles in the access 
token will be filled from the configured "Service Account roles" for the 
particular client.

Alternatively, in next version you can add your own ClientAuthenticator 
implementation and implement authentication with kerberos keytab however 
you want. For example you would just register 1 Client in keycloak admin 
console. Then in your authenticator, when the client is successfully 
authenticated with Kerberos, you will always use this registered 
keycloak client but you will reuse the gssContext.getSrcName() to know 
which actual client from your 1000 clients was used. Then you may also 
need some custom protocol mapper implementation, which will allow you to 
map the roles into accessToken based on which of your clients was used etc.

Marek

Dne 18.8.2015 v 08:31 Stian Thorgersen napsal(a):
> We would like to add support for authenticating with Kerberos keytab to clients, but not sure when we can do it.
>
> Only options to avoid manually registering clients with Keycloak at the moment would be to extend the realm store to make it look in an external source as well (we warned this SPI may change significantly in future), or you could use the rest admin api to do batch imports (you could also schedule this daily/weekly or something). Beyond we are planning to allow custom authentication flows for clients, but we have to much on our plate at the moment to also enable external sources for client config.
>
> ----- Original Message -----
>> From: "Raghu Prabhala" <prabhalar at yahoo.com>
>> To: "Keycloak-user" <keycloak-user at lists.jboss.org>
>> Sent: Tuesday, 18 August, 2015 5:20:12 AM
>> Subject: [keycloak-user] Client Credentials grant Question
>>
>> Bill/Stian,
>>
>> Is it possible to use an external system to authenticate a client for the
>> client credentials grant option? In our organization, we have a large number
>> of applications that interact with each other using kerberos accounts.
>> Today, a client application 1 will use its kerberos id and keytab to
>> authenticate against MIT kerberos and get a custom token which is passed to
>> client application 2 which then validates that token and grants access to
>> the first application. Now if we want to use Keycloak's client credentials
>> grant, the client application 1 is expected to have its client_id and secret
>> registered with keycloak. It is not possible for all our existing
>> applications to discard the current Kerberos account and go with this new
>> client_id and secret required by Keycloak. So we are wondering, if there is
>> any way, we can avoid registering a client application with keycloak and use
>> our existing Kerberos infrastructure to do the client authentication and
>> then provide the access token based on the client credentials grant option.
>> If that is not possible, any pointers on how we can use Keycloak without
>> requiring all our thousands of apps to register with keycloak?
>>
>> Thanks in advance,
>> Raghu
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user


> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150819/48fe8057/attachment-0001.html 


More information about the keycloak-user mailing list