libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

KEYCLOAK-15770 Skip creating session for docker protocol authentication

Browse source
This commit is contained in:
mposolda 2020-10-08 16:05:50 +02:00 committed by Marek Posolda
parent 39ad765fc9
commit bce56fe5c0
4 changed files with 22 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
server_admin/topics.adoc
View file

@ -93,6 +93,7 @@ include::topics/sessions/administering.adoc[]
include::topics/sessions/revocation.adoc[]
include::topics/sessions/timeouts.adoc[]
include::topics/sessions/offline.adoc[]
include::topics/sessions/transient.adoc[]
include::topics/user-federation.adoc[]
include::topics/user-federation/ldap.adoc[]
include::topics/user-federation/sssd.adoc[]

11
server_admin/topics/sessions/transient.adoc Normal file
View file

@ -0,0 +1,11 @@
[[_transient-session]]
=== Transient sessions
{project_name} has concept of transient sessions. When transient sessions are used, there is no real user session created after successful authentication.
Only a temporary transient session is created for the scope of the current request that successfully authenticated the user. This transient session allows {project_name}
to run <<_protocol-mappers, protocol mappers>> after the authentication.
When transient sessions are used, the client application has no way to refresh or introspect the token or check if a specific session is valid.
In some situations, these actions are not needed, so you can avoid the additional overhead for persistence of user sessions.
This would mean the save of performance, memory and network communication (in case of cluster and cross-datacenter environments).

4
server_admin/topics/sso-protocols/docker.adoc
View file

@ -17,6 +17,10 @@ NOTE: This flow assumes that a `docker login` command has already been performed
* The Docker client will get the bearer token from the JSON response and use it in the Authorization header to request the protected resource.
* When the Docker registry receives the new request for the protected resource with the token from the {project_name} server, the registry validates the token and grants access to the requested resource (if appropriate).
NOTE: No user session is created on the {project_name} side after successful authentication with the Docker protocol. The Docker protocol is
not used in case of browser SSO session and it does not have a way to refresh token or ask {project_name} server if a particular token/session
is still valid. So creating the session is unnecessary overhead for this protocol. For more details, see the <<_transient-session, transient session>> section.
==== {project_name} Docker Registry v2 Authentication Server URI Endpoints
{project_name} really only has one endpoint for all Docker auth v2 requests.

6
upgrading/topics/keycloak/changes.adoc
View file

@ -1,5 +1,11 @@
== Migration Changes
=== Migrating to 12.0.0
==== Skip creation of user session for the Docker protocol authentication
No user session is created after successful authentication with the Docker protocol. For details, please refer to the link:{adminguide_link}#_docker[{adminguide_name}].
=== Migrating to 11.0.0
==== Upgrade to Wildfly 20