[keycloak-user] Announce - Secret Store
Bob McWhirter
bmcwhirt at redhat.com
Wed Jan 20 11:48:17 EST 2016
Is that not the use-case for the ‘offline tokens’ that Keycloak added
support for recently?
(/me isn’t certain)
-Bob
On Wed, Jan 20, 2016 at 11:44 AM, Juraci Paixão Kröhling <
juraci at kroehling.de> wrote:
> On 20.01.2016 17:12, Bill Burke wrote:
> > What you are describing MAKES ZERO SENSE. From your document:
> >
> > "A token is created when an user reaches the path
> > |/secret-store/v1/tokens/create| via GET (or passing the username and
> > password as Basic authentication via POST) and stored into a Cassandra
> > data store:"
> >
> > You are doing EXACTLY what the direct grant REST api does except you are
> > using basic auth. I still don't see the purpose of this service.
>
> Those are performed in different steps. The user creates this token via
> an UI (or CLI, if needed), then use this key/secret as the credentials
> on the client.
>
> The client has no knowledge about Keycloak, OAuth, or about any meta
> data that was embedded into this opaque token. All it cares is that it's
> going to call the end service using basic auth.
>
> The secret store is *not* for every application: it's targeted to
> clients where OAuth handling is costly, undesirable or even impossible
> (like legacy applications). So, instead of entering the user's own
> credentials there, the key/secret are used instead.
>
> Our "metrics collector agent" is the main target for this: the knowledge
> about auth doesn't belong there. All it needs to know is an "user" and
> "password", which are the "key" and "secret" for the token. Where
> Keycloak is, how to create an access token from an offline token, how
> long to keep an access token, and so on is made at the secret store, as
> we need to save every processing cycle possible, to not badly influence
> a server that is being monitored (and possibly, already in a bad shape).
>
> Of course, if you can live with your password being stored in plaintext
> on the clients, you don't need the secret store. But honestly, that
> seems ridiculous.
>
> - Juca.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/e42e4a25/attachment.html
More information about the keycloak-user
mailing list