[keycloak-dev] <kc:bearer-only> and BASIC auth
Eric Wittmann
eric.wittmann at redhat.com
Fri Aug 21 09:47:54 EDT 2015
[Resending this because apparently I wasn't subscribed to this mailing
list before!]
----
Hey guys. This is in reference to the discussion here:
https://issues.jboss.org/browse/KEYCLOAK-1472
At Bill's request, I'm moving it here.
I think KEYCLOAK-1472 (for us) might have a couple different aspects to
it. So I'm going to focus on just one in this email. And I'll start a
different thread for the other aspect.
We have a REST endpoint located at /apiman which is protected by
keycloak. We need to support both bearer token authentication *and*
BASIC authentication on that endpoint. Our apiman UI uses bearer-token
auth to access the API. However, for scripts and CLIs and other
integrations, we need to allow users to provide BASIC auth credentials
if they so choose.
In any case, here is the relevant config in standalone.xml for this:
<kc:secure-deployment xmlns:kc="urn:jboss:domain:keycloak:1.0"
name="apiman.war">
<kc:realm>apiman</kc:realm>
<kc:resource>apiman</kc:resource>
<kc:credential name="secret">
password
</kc:credential>
<kc:enable-basic-auth>true</kc:enable-basic-auth>
<kc:disable-trust-manager>true</kc:disable-trust-manager>
</kc:secure-deployment>
This works great unless authentication fails, at which point we get a
redirect to the login page. That makes sense if this were a UI, but
it's not. The solution to the redirect problem is to add:
<kc:bearer-only>true</kc:bearer-only>
This fixes the redirect to login page problem but it disables BASIC auth
support.
Can we get an option that disables the login redirect but still allows
BASIC auth to work?
-Eric
More information about the keycloak-dev
mailing list