keyCloak vs keyRing

[diegoguidotti]

Discussing with other SAF companies we share the idea that it is difficult to understand why FIware and Fispace use two different IDM (keyCloak and keyRing) . If we use some FIware GEs we need to use Fiware but for FIspace we should use keyCloak. We need a clear indication about which IDM we should use.

We prefer to use keyRing for several reasons:

• we need to use keyRing to access FIware GEs
• by default the keyCloak does not access the account info (a quite basic feature), the issue was not documented, it took some days to figure out the issue, we raise an issue and needed to ask the administrator a fix; we propose to document it better and to provide the grant access right to all key account
• it seems not possible to access user roles and it seems not possible to manage custom roles (keyRock easily allow administrators to manage them)
• (minor) the expire date of the auth token it is quite short (a minute); I know we can refresh it but a longer one will be easier to manage;

[sbrahma]

Hello, your issue has been forwarded to the FIspace team: https://bitbucket.org/fispace/phase3support/issue/44/keycloak-vs-keyring

[sbrahma]

Please find the response in https://bitbucket.org/fispace/phase3support/issue/44/keycloak-vs-keyring.

[JanWillemKruize]

Comment provided by FIspace team:

---

Assuming reference to the GE Keyrock (instead of keyring). There is quite some history about the identity management GE and why FIspace choose to use an open source product that fully supports standards instead. While I would not mind to elaborate, bottom line is that FIspace uses standard OAUTH2 mechanism for authentication, which is provided by KeyCloak.

There is no need to use any keycloak specific library, any OAUTH2 compatible client would work.

When working on a java project, I would advice using the keycloak client adapater, since it's by far most convenient OAUTH2 client library to use.

Now when an external service provider wants to be able to receive calls from FIspace, it should accept and check FIspace access tokens. This does not mean that the external service needs to be secures with keycloak! Keyrock GE could be used for the service security layer and user administration, as long as the security layer is able to handle OAUTH2 access tokens from FIspace authentication server. In a later version of FIspace arrangements can be made to store a refreshtoken in FIspace so the external service does not have to handle the FISpace tokens anymore, but for now this is a limitation. This limitation is the same if keycloak of keyrock is used on either side, as long as 2 authentication servers are used, they will need to either be able to check alien tokens, or to exchange refresh tokens.

• FIware GE's really should support standards like OAUTH2 for authentication instead of relying on a specific IDM provider.

---

Closing the issue since it has been marked as "won't fix"