Open natbronislavska opened 1 year ago
@mstruk might know ...
- client definition - "directAccessGrantsEnabled"
As the Keycloak documentation says: "Direct Access Grants are used by REST clients to obtain tokens on behalf of users."
It is for use with OAuth clients that act as user agents (like REST services that serve users and require users to authenticate), rather than act in their own name (as is the case with service accounts). My advice would be to not enable Direct Access Grants unless you find that you need them in order for things to work. The Kafka client micro services that just run some message processing on data rather than serve individual users normally don't need this enabled as they use service accounts.
- scopeMapping - "offline_access"
This results in token endpoint returning a refresh token that never expires. It is useful when you authenticate with curl
or wget
directly to the token endpoint specifying scope=offline_access
which returns a refresh_token that has no expiry (in addition to the access_token). You can then use that token as the value of oauth.refresh.token
client configuration parameter.
I am using Keycloak for authentication (oauth) and KafkaUser for authorization (simple) and I have currently only enabled this on the external listener. I created a simple Keycloak realm, strongly inspired by the one found in the examples: https://github.com/strimzi/strimzi-kafka-oauth/blob/main/examples/docker/keycloak-import/realms/demo-realm.json
I have two questions about this realm definition: