[aerogear-dev] Direct access to UnifiedPush Server's REST without OAuth

Matthias Wessendorf matzew at apache.org
Thu Jun 5 09:08:57 EDT 2014 

On Thu, Jun 5, 2014 at 2:14 PM, Stian Thorgersen <stian at redhat.com> wrote:

> As I suggested this, I'll add a bit more information.
>
> It makes sense to have two applications for UPS in Keycloak:
>
> 1) A bearer-only application for the REST endpoints - this application
> does not allow logins and hence won't redirect to login screens, but return
> 401/403. It will authenticate through the bearer token passed in the
> headers.


that would work just fine w/ curl, I think



> Any roles for UPS should be created for this application. Also, the KC
> adapter (BootstrapListener) is configured for this application, as that
> secures the REST endpoints
>

makes sense


> 2) A public application for the Admin Console - this applications allows
> logins. This should have scope mappings on roles in the application above.
> This is used for the JS console, and I would recommend using keycloak.js.
>

abstractj is already on kc.js :-)


>
> ----- Original Message -----
> > From: "Matthias Wessendorf" <matzew at apache.org>
> > To: "Tadeas Kriz" <tkriz at redhat.com>
> > Cc: "AeroGear Developer Mailing List" <aerogear-dev at lists.jboss.org>
> > Sent: Thursday, 5 June, 2014 9:47:21 AM
> > Subject: Re: [aerogear-dev] Direct access to UnifiedPush Server's REST
>      without OAuth
> >
> >
> >
> >
> > On Wed, Jun 4, 2014 at 6:18 PM, Tadeas Kriz < tkriz at redhat.com > wrote:
> >
> >
> > Hey guys,
> >
> > as you might know, in the integration tests we only test the REST
> backend,
> > making sure it works as intended. Before Keycloak, every action was
> > achievable using the REST, that included login, logout and user
> management.
> > We don’t need the user management for sure, but login and logout is an
> > another story. Now with Keycloak anyone who wants to just use REST calls,
> > still need to login using the Keycloak.
> >
> > My question is, do we want users to be able to access the REST without
> OAuth?
> > If we do, it would probably mean we need to have two Keycloak
> applications,
> >
> > What do you mean here? Are you suggestion two WAR files (for each
> 'keycloak
> > application') ? Or just more a declarative setup?
> >
> >
> > one for the UI which would still use OAuth and second one for REST calls
> > which would use Bearer only. This would also mean that when someone
> makes a
> > REST call to an endpoint without being authorized, he would receive 401
> > response, instead of 302 redirect (before Keycloak, the response was 401
> in
> > case of unauthorized access).
> >
> > yeah, I think the RESTful APIs behind the 'AdminUI' for the
> > 'application/variant management' should continue to work. (I doubt there
> is
> > much usage of those outside of the AdminUI)
> >
> >
> >
> >
> > What do you think?
> >
> > —
> > Tadeas Kriz
> >
> >
> >
> >
> > --
> > Matthias Wessendorf
> >
> > blog: http://matthiaswessendorf.wordpress.com/
> > sessions: http://www.slideshare.net/mwessendorf
> > twitter: http://twitter.com/mwessendorf
> >
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>



-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20140605/64dcc64b/attachment-0001.html

More information about the aerogear-dev mailing list