[keycloak-user] KeyCloak offline tokens and architecture

Stian Thorgersen sthorger at redhat.com
Wed May 25 02:17:00 EDT 2016


On 18 May 2016 at 11:53, Haim Vana <haimv at perfectomobile.com> wrote:

> Hi,
> We are evaluating KeyCloak to be our SSO server, and we have a few
> questions regarding the offline token usage.
>
> First our high level use case is as follows:
> We have multi-tenancy applications, each tenant will have its own realm
> (which means the same clients will be defined for each realm).
> One of the applications has 3 authentication scenarios:
>
> 1.    User using SDK flow to access the application (by code)
>
> 2.    Offline job
>
> 3.    External micro service (not registered in KeyCloak) that needs to
> access our application micro service
>
> 4.    UI login
> We thought to use offline token for the first three, and define a single
> client for UI and micro services.
>

For #3 it sounds like a service account would be better.


> Does our approach make sense ? specially regarding the realm per tenant
> and the fact that we will have to create the same clients for each realm,
> The offline token usage for the authentication flows, and the single
> client for the UI and micro service.
>
> Regarding the offline tokens - why are they per client ? is it mean that
> when using the client offline token (and getting the real token from
> KeyCloak) we will not be able to use it for other client (within the realm)
> micro service ?
>
> Also how can we generate them for each of the following cases (also
> described above):
>
> 1.    User - should manually add the token to his code, so we thought to
> provide it within the application, however how can we generate the offline
> token to already logged in user ? we would like to avoid generating the
> offline token to all users and to use separate offline login page.
>

Just do another redirect to login page and include ?scope=offline. If user
is already authenticated the user wouldn't have to login again.


> 2.    Offline job - the offline job which is cross realms will use
> special operator realm, the token will be generated manually by the admin
> which will stored it in the file system for the offline job usage, how can
> the admin generate this token ? can it be done in the admin console ? if
> not I guess we will have to create a service that logs him to the
> application and generate the token, is there an alternative ?
>

If the offline job is not acting on behalf of a user then use a service
account instead.


> 3.    Micro service - it's very similar flow to the offline job only that
> the admin will have to create offline token per realm.
>

Same as above

> I hope it's not too much [image:
> https://issues.jboss.org/images/icons/emoticons/smile.png] and any advice
> will be highly appreciated.
>
>
>
> Thanks,
> Haim.
>
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160525/08504f1d/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 752 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160525/08504f1d/attachment.png 


More information about the keycloak-user mailing list