I have a similar use case, but I wouldn’t like Keycloak to generate API keys for me, I’d like it to generate tokens but without expiration.
I’d do more with these afterwards, to add some mappings, or compress a token into a let’s say API Key. This fits at least subjectively my use case, with the token holding all the required user details, permissions, etc. but the only caveat is that the token expires obviously.
Is there a way to remove expiration for tokens issued by a specific client?
Also, can I write an SPI that would do the token issuing part, signature etc.?
I have been looking into that, and the main problem are the sessions.
You can use this
to create tokens that will expire in about 15years (there is some keycloak internal issue for time intervals longer than that)
But then you’ve got the session issue. It will be attached to the access key. And then if you are following the best security practices you will renew the certificates.
Sessions are stored in the cache (infinispan), if the cache is wiped out the token (or acceskey) generated stops working. If you renew the certificates, the token won’t validate anymore.
Using access keys as tokens would be a nice feature, but the way keycloak is designed right now involves a lot of complexity. I am still doing some investigation on it.
@ackerleytng, did you find any solution in the end?