Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inefficient token management #34

Open
barisertekin opened this issue Mar 28, 2024 · 3 comments
Open

Inefficient token management #34

barisertekin opened this issue Mar 28, 2024 · 3 comments

Comments

@barisertekin
Copy link

Hi,

It doesn't look nice to request a token for every operation.
Even if we get a new token when it expires, the same problem persists across multiple instance.
I tried with ServiceAccount + BasicAuth but couldn't succeed. I'm not sure if it's supported.
What do you think about this? Is there another way?

Thank you.
@sps-campbellwray
Copy link

Currently there is nothing built into this library to cache/refresh tokens.

If you need this functionality the best way to achieve it is to write a function that returns a token, and then use the Func<string> getToken constructor when initializing the KeycloakClient. Your function could handle the caching/refreshing of the token, so it didn't create a new token each time it was called.

The way we are currently using this library is to generate a token for every single request, which I know is messy, but unfortunately other priorities have prevented me from improving this.

To answer your other question, it is possible to set up a service account and use that for authentication. I'd be happy to provide more support after the long weekend if you need it.

@barisertekin
Copy link
Author

Thank you for your quick response.

I have been unable to find a way to call the admin-api with a Service Account.
The methods in the admin-api require a token.
If there is a way to call it using Basic Authentication with ClientId:ClientSecret, I would appreciate your help.

@sps-campbellwray
Copy link

sps-campbellwray commented Apr 1, 2024
edited
Loading

I'm not sure if this is the 100% correct way to do it, but this is the procedure we follow:

In the master realm find the admin-cli client, configure the capabilities like so:

image

From the Credentials tab, get the Client Secret

image

You can then use the KeycloakClient(string url, string clientSecret, KeycloakOptions options = null) constructor to create a KeycloakClient. The KeycloakOptions object uses the client admin-cli by default.

Once you've got that part working you can change over to the KeycloakClient(string url, Func<string> getToken, KeycloakOptions options = null) constructor and pass in a custom getToken function based on the GetAccessTokenAsync method in src\Keycloak.Net.Core\Common\Extensions\FlurlRequestExtensions.cs. Your function would need to implement the functionality for caching and refreshing the token as it expires.

If you manage to get this working it would be a welcome contribution to the library, unfortunately other priorities have prevented me from being able to work on such an implementation, which is why it is not already there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@barisertekin @sps-campbellwray