[aerogear-dev] Direct access to UnifiedPush Server's REST without OAuth
Matthias Wessendorf
matzew at apache.org
Thu Jun 5 04:47:21 EDT 2014
On Wed, Jun 4, 2014 at 6:18 PM, Tadeas Kriz <tkriz at redhat.com> wrote:
> Hey guys,
>
> as you might know, in the integration tests we only test the REST backend,
> making sure it works as intended. Before Keycloak, every action was
> achievable using the REST, that included login, logout and user management.
> We don’t need the user management for sure, but login and logout is an
> another story. Now with Keycloak anyone who wants to just use REST calls,
> still need to login using the Keycloak.
>
> My question is, do we want users to be able to access the REST without
> OAuth? If we do, it would probably mean we need to have two Keycloak
> applications,
What do you mean here? Are you suggestion two WAR files (for each 'keycloak
application') ? Or just more a declarative setup?
> one for the UI which would still use OAuth and second one for REST calls
> which would use Bearer only. This would also mean that when someone makes a
> REST call to an endpoint without being authorized, he would receive 401
> response, instead of 302 redirect (before Keycloak, the response was 401 in
> case of unauthorized access).
>
yeah, I think the RESTful APIs behind the 'AdminUI' for the
'application/variant management' should continue to work. (I doubt there is
much usage of those outside of the AdminUI)
> What do you think?
>
> —
> Tadeas Kriz
>
>
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20140605/a61621c3/attachment-0001.html
More information about the aerogear-dev
mailing list