[keycloak-user] Access tokens in Queue based systems

Pavel Micka Pavel.Micka at zoomint.com
Fri Aug 16 08:21:37 EDT 2019 

Currently we are using credentials for accessing the broker (and we are investigating, if we can do more). The clients are generally microservices, the messages are essentially events (in sense of event streaming, so small chages of data records).
If we are talking about KC level, then they have service accounts.

Pavel


From: Pedro Igor Silva <psilva at redhat.com>
Sent: Friday, August 16, 2019 2:01 PM
To: Pavel Micka <Pavel.Micka at zoomint.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Access tokens in Queue based systems

Hi,

Out of curiosity:

* How authentication in Rabbit is being done?
* What types of clients are sending messages?
* How these clients are obtaining access tokens (grant types)?

Regards.
Pedro Igor

On Tue, Aug 13, 2019 at 4:14 AM Pavel Micka <Pavel.Micka at zoomint.com<mailto:Pavel.Micka at zoomint.com>> wrote:
Hello everyone,

We are using Keycloak (OIDC) in our system and it has proven to be a great solution for http based communication. But we have slight issue with figuring out how to correctly pass the access tokens through queues. The point is that we have a partially a streaming system and we want to make sure that if an attacker manages to send the messages to Rabbit, the messages will not be authorized by clients. That is the theory.

We can send the access tokens through the queue... but the messages may rot in the queue for quite some time (our SLA is in hours), so that would mean long validity of the token (and that may cause issues in case the token is somehow leaked).

Better option would be to have a long validity token, but scope it to the content of the message. But you know...streaming application... there can be thousands of messages a second. And that may cause big scalability issues when bombarding keycloak for each and every message in the system.

Is there some better approach with OIDC? Or should I look on some additional non-KC solution?

Thanks!

Pavel
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list