[keycloak-user] Question: Resource Owner Password Credentials Flow and Kerberos

Marek Posolda mposolda at redhat.com
Mon Sep 11 04:58:49 EDT 2017


I have a JIRA opened for longer time to support Kerberos for Direct 
grants (Resource Owner Password Credentials) too.

I think that it will need some helper code on client side to generate 
the value for "Authorization: Negotiate" HTTP header, which will need to 
be sent to Keycloak (browser is normally doing it in browser-based 
flows). Then separate Authenticator on server-side to handle the ticket. 
Note that we have Authentication SPI and you can set/reconfigure the 
authenticator for Direct Grant. So in theory nothing prevents you to 
already implement this on your own (and possibly contribute to Keycloak :)

Marek


On 08/09/17 17:47, felix.straub at kaufland.com wrote:
>
> Hello together,
>
> my question is, if there is a possibility to use the Kerberos config from
> keycloak while using the ROPC-Flow.
> Because in this flow you just send the credentials to keycloak and keycloak
> is validating them or authenticates them against an LDAP federation.
> So here keycloak can't use kerberos when the client is already sending his
> credentials right?
>
> Thank you for your answers.
>
> Felix
>
> Mit freundlichen Grüßen
> Felix Straub
>
> KIS-Ausbildung
> +49 7132 94 920297
>
> Kaufland Informationssysteme GmbH & Co. KG
> Postfach 12 53 - 74172 Neckarsulm
> Kommanditgesellschaft
> Sitz: Neckarsulm
> Registergericht: Stuttgart HRA 104163
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list