[keycloak-user] Any limit on number of clients?

Thomas Darimont thomas.darimont at googlemail.com
Fri Jan 15 11:08:49 EST 2016 

Quick question, do you only want to use clients because they support
authentication via certificats?

Isn't it possible to have certificate based authentication for users as
well?

Cheers,
Thomas

2016-01-15 16:37 GMT+01:00 Stian Thorgersen <sthorger at redhat.com>:

> Depends on what a device is. If it's a device that is controlled by a
> human that could authenticate as themselves then use a user account. If
> it's a device that is purely non-human than use a service account.
>
> On 15 January 2016 at 16:05, Aikeaguinea <aikeaguinea at xsmail.com> wrote:
>
>> I realize these aren't clients in the sense Keycloak intends, but in this
>> case Keycloak provides all the functionality I need without me having to
>> rebuild it myself -- particularly with respect to generating and managing
>> certificates. Since the devices are all under our control, the concept of a
>> service account seems to fit even if the Keycloak concept of "client"
>> really is intended for something else.
>>
>> Will using Keycloak clients for this purpose get us in trouble somehow?
>>
>>
>> On Wed, Jan 13, 2016, at 09:46 AM, Bill Burke wrote:
>>
>> I think you'd be better served having public clients and developing cert
>> auth for users via our auth spi, as these are users aren't they?  They
>> aren't clients in the sense of what Keycloak thinks of as a client.  A
>> client in keycloak is really a service or web app.
>>
>> On 1/13/2016 2:43 AM, Stian Thorgersen wrote:
>>
>> As Bill said we haven't tested with loads of clients, but we need to be
>> able to scale to hundreds or probably thousand clients at least. So if you
>> run into issues with it let us know and we'll look into it.
>>
>> On 13 January 2016 at 01:18, Aikeaguinea <aikeaguinea at xsmail.com> wrote:
>>
>> I'd say we're talking on the order of a hundred to start with; this
>> could ramp up to multiples of that within a year or two. I imagine the
>> thing to do would be for us to do some stress testing of our own.
>>
>> On Tue, Jan 12, 2016, at 06:57 PM, Bill Burke wrote:
>> > How many devices you talking about?  I think it may become an issue as
>> > we haven't really stressed and benched with tons (hundreds/thousands) of
>> > clients.
>> >
>> > On 1/12/2016 6:08 PM, Aikeaguinea wrote:
>> > > We have a number of devices that need to access APIs; for various
>> > > reasons we need to use client certificates for this purpose.
>> > >
>> > > I have noticed that Keycloak will allow service accounts to
>> authenticate
>> > > using client certificates and that these certificates can be generated
>> > > within Keycloak. This looks like it fits our needs well -- when we set
>> > > up a new device we would need to set up a new client and service
>> account
>> > > for it in Keycloak. I've verified through testing that we can make
>> this
>> > > work.
>> > >
>> > > Ultimately we may have to manage a fairly large number of devices, say
>> > > in the hundreds. Is there any reason that Keycloak would limit us in
>> the
>> > > number of clients we could create and manage in this way?
>> > >
>> >
>> > --
>> > Bill Burke
>> > JBoss, a division of Red Hat
>> > http://bill.burkecentral.com
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> --
>>   Aikeaguinea
>> aikeaguinea at xsmail.com
>>
>> --
>> http://www.fastmail.com - Or how I learned to stop worrying and
>>                           love email again
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hathttp://bill.burkecentral.com
>>
>> *_______________________________________________*
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> --
>>   Aikeaguinea
>>   aikeaguinea at xsmail.com
>>
>>
>>
>> -- http://www.fastmail.com - The way an email service should be
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/1551ef22/attachment.html

More information about the keycloak-user mailing list