[keycloak-user] Microservices Auth with Keycloak

Pedro Igor Silva psilva at redhat.com
Wed Jul 18 08:17:36 EDT 2018


On Wed, Jul 18, 2018 at 6:19 AM, Chirdeep Tomar <chirdeep.tomar at gmail.com>
wrote:

> We are implementing a micro services architecture with services written in
> Spring/Vertx and .NET Core.
>
> So essentially these services are Resource Servers protecting resources and
> according to documentation resource servers are also clients in Keycloak.
>
> We have a few front end apps and 2 mobile apps for android and iphone which
> will also be clients in Keycloak.
>
> Questions
> 1) Should the front end apps and mobile apps be public client in Keycloak?
>

Yes.


> 2) If each micro service which is a resource server is a client with
> credentials, how does access token generated for single clientid work
> across multiple micro services?
>

I think you are talking about service chaining ? In case, Client A ->
Service A -> Service B ?

The expected flow is that once Client A is issued with an access token, the
token should have a specific set of audiences, for instance, Service A. In
case Service A needs to access Service B, you should be able to use token
exchange to obtain a new token to access Service B from Service A.

I think most people today is just re-using access tokens to access multiple
services, which is not correct. We also have some work being done to better
support audiences in token.


>
> Not sure how to tie it all together, thanks for your help.
>
> Chirdeep
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list