[keycloak-user] Best Practice m2m

Pedro Igor Silva psilva at redhat.com
Fri May 25 08:38:07 EDT 2018


On Fri, May 25, 2018 at 2:37 AM, Uli SE <keycloaklist at ulise.de> wrote:

> Hi,
>
> we are developing a quite big angular + jboss-rest application with
> Keycloak OIC as auth layer. We are passing a brunch of user(login)
> specific information in a bearer token from angular to the rest-services
> when calling them.
>
> Now we have the situation, that some (automated/cyclic) services has to
> call some other services on behalf of an user without the user has
> logged in before - but with some login information.
>
> How do you solve such situations? Should we use persistant tokens or is
> some kind of impersonation a better solution?
>

I think none of these approaches will work for you. And what you need is
someway to allow your backend services to obtain an access/refresh tokens.
I think this is something that Google Sign-In does with their hybrid
server-side flow using a one-time code [1].

Other can give their feedback about this, but I'm not sure how to properly
solve this problem without a specific funcionality in Keycloak side.

[1] https://developers.google.com/identity/sign-in/web/server-side-flow


>
> Many rhansk for discussion,
>
> Uli
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list