[keycloak-user] Announce - Secret Store
Bill Burke
bburke at redhat.com
Wed Jan 20 11:12:56 EST 2016
What you are describing MAKES ZERO SENSE. From your document:
"A token is created when an user reaches the path
|/secret-store/v1/tokens/create| via GET (or passing the username and
password as Basic authentication via POST) and stored into a Cassandra
data store:"
You are doing EXACTLY what the direct grant REST api does except you are
using basic auth. I still don't see the purpose of this service.
On 1/20/2016 10:57 AM, Juraci Paixão Kröhling wrote:
> Direct grants require the client to have access to an user's
> credentials. On our specific case, having plain text access to the
> account credentials are not viewed as very secure by sysadmins. So,
> issuing those tokens and making them individually revokable make sense.
>
> On 20.01.2016 16:32, Bill Burke wrote:
>> I honestly don't get why you are doing this. I assume you are familiar
>> with direct grants. Why aren't these enough? Its just a REST call to
>> keycloak to obtain a token. Honestly, this seems ridiculous.
>>
>> On 1/20/2016 9:15 AM, Juraci Paixão Kröhling wrote:
>>> For Hawkular, we were in the need of a simplified way for a REST client
>>> to communicate with our backend. After discussing this with Stian, we
>>> started the "secret-store" module, which was just spun off of Hawkular
>>> into a "standalone" project.
>>>
>>> Secret Store is a module for scenarios where the whole OAuth procedure
>>> might be undesirable or not feasible on the client side.
>>>
>>> The Secret Store has two sides:
>>>
>>> 1) a REST endpoint to create opaque tokens backed by OAuth Offline
>>> Tokens composed of a key and secret;
>>>
>>> 2) An Undertow filter/Proxy server, that translates the opaque tokens
>>> into OAuth bearer tokens, rewriting the incoming request. To your
>>> backend, it's transparent whether an opaque token or a proper OAuth
>>> token was used.
>>>
>>> More info here: https://github.com/jpkrohling/secret-store
>>>
>>> - Juca.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/adac70af/attachment.html
More information about the keycloak-user
mailing list