[keycloak-user] Any limit on number of clients?

Aikeaguinea aikeaguinea at xsmail.com
Fri Jan 15 22:05:29 EST 2016 

To my knowledge, if you want certificate-based authentication for users
you'd have to write it yourself.


On Fri, Jan 15, 2016, at 11:08 AM, Thomas Darimont wrote:
> Quick question, do you only want to use clients because they support
> authentication via certificats?
>
> Isn't it possible to have certificate based authentication for users
> as well?
>
> Cheers, Thomas
>
> 2016-01-15 16:37 GMT+01:00 Stian Thorgersen <sthorger at redhat.com>:
>> Depends on what a device is. If it's a device that is controlled by a
>> human that could authenticate as themselves then use a user account.
>> If it's a device that is purely non-human than use a service account.
>>
>> On 15 January 2016 at 16:05, Aikeaguinea
>> <aikeaguinea at xsmail.com> wrote:
>>> __
>>> I realize these aren't clients in the sense Keycloak intends, but in
>>> this case Keycloak provides all the functionality I need without me
>>> having to rebuild it myself -- particularly with respect to
>>> generating and managing certificates. Since the devices are all
>>> under our control, the concept of a service account seems to fit
>>> even if the Keycloak concept of "client" really is intended for
>>> something else.
>>>
>>> Will using Keycloak clients for this purpose get us in trouble
>>> somehow?
>>>
>>>
>>> On Wed, Jan 13, 2016, at 09:46 AM, Bill Burke wrote:
>>>> I think you'd be better served having public clients and developing
    cert auth for users via our auth spi, as these are users aren't
    they?  They aren't clients in the sense of what Keycloak thinks of
    as a client.  A client in keycloak is really a service or web app.
>>>>
>>>> On 1/13/2016 2:43 AM, Stian Thorgersen
      wrote:
>>>>> As Bill said we haven't tested with loads of
        clients, but we need to be able to scale to hundreds or probably
        thousand clients at least. So if you run into issues with it let
        us know and we'll look into it.
>>>>>
>>>>> On 13 January 2016 at 01:18,
          Aikeaguinea <aikeaguinea at xsmail.com> wrote:
>>>>>> I'd say
            we're talking on the order of a hundred to start with; this
>>>>>> could ramp up to multiples of that within a year or two. I
            imagine the
>>>>>> thing to do would be for us to do some stress testing of our
            own.
>>>>>>
>>>>>> On Tue, Jan 12, 2016, at 06:57 PM, Bill Burke wrote:
>>>>>> > How many devices you talking about?  I think it may
                become an issue as
>>>>>> > we haven't really stressed and benched with tons
                (hundreds/thousands) of
>>>>>> > clients.
>>>>>> >
>>>>>> > On 1/12/2016 6:08 PM, Aikeaguinea wrote:
>>>>>> > > We have a number of devices that need to
                access APIs; for various
>>>>>> > > reasons we need to use client certificates for
                this purpose.
>>>>>> > >
>>>>>> > > I have noticed that Keycloak will allow
                service accounts to authenticate
>>>>>> > > using client certificates and that these
                certificates can be generated
>>>>>> > > within Keycloak. This looks like it fits our
                needs well -- when we set
>>>>>> > > up a new device we would need to set up a new
                client and service account
>>>>>> > > for it in Keycloak. I've verified through
                testing that we can make this
>>>>>> > > work.
>>>>>> > >
>>>>>> > > Ultimately we may have to manage a fairly
                large number of devices, say
>>>>>> > > in the hundreds. Is there any reason that
                Keycloak would limit us in the
>>>>>> > > number of clients we could create and manage
                in this way?
>>>>>> > >
>>>>>> >
>>>>>> > --
>>>>>> > Bill Burke JBoss, a division of Red Hat
>>>>>> > http://bill.burkecentral.com
>>>>>> >
>>>>>> > _______________________________________________
>>>>>> > keycloak-user mailing list keycloak-user at lists.jboss.org
>>>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
                Aikeaguinea
>>>>>> aikeaguinea at xsmail.com
>>>>>>
>>>>>>
                --
>>>>>> http://www.fastmail.com
                - Or how I learned to stop worrying and
>>>>>>
                love email again
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>> --
Bill Burke JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>> _________________________________________________
>>>> keycloak-user mailing list keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> --
>>> Aikeaguinea aikeaguinea at xsmail.com
>>>
>>>
>>>
>>> --
>>> http://www.fastmail.com - The way an email service should be
>>>
>>>
>>>
>>> _______________________________________________
>>>
keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> _______________________________________________
>>
keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

--
  Aikeaguinea
  aikeaguinea at xsmail.com
 
 

-- 
http://www.fastmail.com - The professional email service

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/43b88b82/attachment-0001.html

More information about the keycloak-user mailing list