I have a similar use case, but I wouldn’t like Keycloak to generate API keys for me, I’d like it to generate tokens but without expiration.
I’d do more with these afterwards, to add some mappings, or compress a token into a let’s say API Key. This fits at least subjectively my use case, with the token holding all the required user details, permissions, etc. but the only caveat is that the token expires obviously.
Is there a way to remove expiration for tokens issued by a specific client?
Also, can I write an SPI that would do the token issuing part, signature etc.?
I have been looking into that, and the main problem are the sessions.
You can use this
to create tokens that will expire in about 15years (there is some keycloak internal issue for time intervals longer than that)
But then you’ve got the session issue. It will be attached to the access key. And then if you are following the best security practices you will renew the certificates.
Sessions are stored in the cache (infinispan), if the cache is wiped out the token (or acceskey) generated stops working. If you renew the certificates, the token won’t validate anymore.
Using access keys as tokens would be a nice feature, but the way keycloak is designed right now involves a lot of complexity. I am still doing some investigation on it.
@ackerleytng, did you find any solution in the end?
Is there a way to do that in 2024? Sounds like a pretty basic feature to have API keys generated by keycloak through the Admin API that expire after 3 or 6 months. Offline tokens seems like a solution according to this thread, but in the docs it doesn’t say anything about expiration dates for an offline token.
Keycloak does not support API keys. It’s an IdP, not an API key mgmt server.
It’s not in the scope of Keycloak. It never was and most likely it will never be.
Replying to myself that in the end I used the Direct Naked Impersonation feature provided by the latest Keycloak. Here’s a rough guide on how I did it:
Enabled the 2 following features on my Keycloak 24.0.3 --features=admin-fine-grained-authz,token-exchange as an argument when starting keycloak
I then followed the guide here on Direct Naked Impersonation Securing Applications and Services Guide and the exact steps described there (note: don’t follow tutorials on the internet, most of them are outdated)
I then store my generated api keys in my database (encrypted of course) and when the user is sending an api key along in the header, I check if it matches any of the database entries and then I impersonate that user using their ID.
Looks like the best approach, also hiding keycloak behind a VPN is another best approach to avoid someone being able to impersonate all of your users if they get ahold of your client credentials.