[keycloak-user] Announce - Secret Store

Juraci Paixão Kröhling juraci at kroehling.de
Wed Jan 20 10:57:01 EST 2016


Direct grants require the client to have access to an user's 
credentials. On our specific case, having plain text access to the 
account credentials are not viewed as very secure by sysadmins. So, 
issuing those tokens and making them individually revokable make sense.

On 20.01.2016 16:32, Bill Burke wrote:
> I honestly don't get why you are doing this.  I assume you are familiar
> with direct grants.  Why aren't these enough?  Its just a REST call to
> keycloak to obtain a token.  Honestly, this seems ridiculous.
>
> On 1/20/2016 9:15 AM, Juraci Paixão Kröhling wrote:
>> For Hawkular, we were in the need of a simplified way for a REST client
>> to communicate with our backend. After discussing this with Stian, we
>> started the "secret-store" module, which was just spun off of Hawkular
>> into a "standalone" project.
>>
>> Secret Store is a module for scenarios where the whole OAuth procedure
>> might be undesirable or not feasible on the client side.
>>
>> The Secret Store has two sides:
>>
>> 1) a REST endpoint to create opaque tokens backed by OAuth Offline
>> Tokens composed of a key and secret;
>>
>> 2) An Undertow filter/Proxy server, that translates the opaque tokens
>> into OAuth bearer tokens, rewriting the incoming request. To your
>> backend, it's transparent whether an opaque token or a proper OAuth
>> token was used.
>>
>> More info here: https://github.com/jpkrohling/secret-store
>>
>> - Juca.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list