[keycloak-user] [EXTERNAL] Re: how to implement SSO among services with Keycloak

Bill Burke bburke at redhat.com
Mon Feb 16 10:14:00 EST 2015


The token will expire.  There's been talk of providing an API to turn a 
token into a refresh token.  Haven't fully thought through the security 
implications yet though.

On 2/16/2015 10:00 AM, Kevin Chen wrote:
> Thanks Bill.
>
> Will the token expire? If so how to deal with it in the following situation:
> Service 1 in Jboss1 got a token based on the user login(it will have username/password information), then it will connect to Service 2 on JBOSS 2 with the token, The Service 2 will then connect to Service 3 in JBOSS 3. If the token expired, how can Service 2 to refresh it.
>
> Thanks
> Kevin
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
> Sent: Friday, February 13, 2015 6:42 AM
> To: keycloak-user at lists.jboss.org
> Subject: [EXTERNAL] Re: [keycloak-user] how to implement SSO among services with Keycloak
>
> The demo app shows how this is done:
>
> 1. visit customer portal
> 2. customer portal initiates a login
> 3. customer portal receives a token
> 4. customer uses token to make secure REST invocation to another database service.
>
> On 2/13/2015 5:33 AM, Marek Posolda wrote:
>> Keycloak can serve this use-case pretty well. Once you authenticate
>> application1 with Keycloak, you will receive accessToken for this
>> application. This accessToken can then be used to invoke other HTTP
>> services (like "application2") and retrieve data from them. You just
>> need to send the obtained accessToken in Authorization header in
>> format like "Authorization: Bearer your-token".
>>
>> Also if your application "application2" is used just as "container of
>> REST data" for other applications and never accessed directly by user
>> from his browser, you can configure at as "bearer-only" in keycloak
>> admin console and in keycloak.json of this application.
>>
>> We have examples exactly for this usecase: "customer-service" uses
>> accessToken to invoke bearer-only application "database-service" and
>> obtain data from it. See code here:
>> https://github.com/keycloak/keycloak/blob/master/examples/demo-templat
>> e/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClie
>> nt.java#L56
>>
>>
>> Marek
>>
>> On 12.2.2015 21:24, Kevin Chen wrote:
>>> In our environment, we will have multiple JBOSS instance that will host different services, they will use the same Keycloak server for authentication.
>>>
>>> One of the requirement for us is once an user is authenticated with one service, and if that service need invoke another service running in a different JBOSS instance, user should not be asked to logged in again.
>>> How can we obtain a new token and pass it to the next hop?
>>>
>>> Thanks
>>> Kevin
>>>
>>> ---------------------------------------------------------------------
>>> - This e-mail, including any attached files, may contain confidential
>>> and privileged information for the sole use of the intended recipient.  Any review, use, distribution, or disclosure by others is strictly prohibited.  If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message.
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list