[keycloak-dev] (no subject)
Sebastien Blanc
sblanc at redhat.com
Fri Apr 29 14:23:28 EDT 2016
Hi Luke !
I might be wrong but I think I have the exact demo working of what you
describe :
1. the standalone webapp client :
https://github.com/sebastienblanc/devoxxfr/tree/master/angular-client , you
can run it with "grunt serve"
2. the nodejs service :
https://github.com/sebastienblanc/devoxxfr/tree/master/nodejs-service , run
it with "npm start"
3. external keycloak server running
I did not need to define any confidential client, the trick is to use
"bearer-only" for the nodejs service, take a look at my sample realm :
https://github.com/sebastienblanc/devoxxfr/blob/master/devoxxrealm.json
And sorry if I was completly aside what you meant.
Sebi
On Fri, Apr 29, 2016 at 7:09 PM, Luke Holmquist <lholmqui at redhat.com> wrote:
> I have a use case, that i think could be pretty common, but i'm not
> entirely sure how to setup it up.
>
> The following is a little bit of a thought dump, so pardon me if i ramble
> a little bit.
>
>
> There are i think 3 components involved here:
>
> 1. a pure HTML/JS web app
>
> 2. A node.js REST API server
>
> 3. Keycloak server
>
>
> The app in this case, would not be served by the node server or the KC
> server(wildfly), but with something like nginx(or even something like
> 'python simpleHTTPServer')
>
> Basically the flow would be something like this[1]:
>
> The web app, using the js adapter, authenticates against the KC server.
>
> Now the web app would like to call the node API server(a restricted
> endpoint) to get some data
>
> The web app probably adds the token stuff that it got from KC during it;s
> login to the request to the node server
>
> ***This next part is where i'm getting a little confused, i'm aware that
> code to do this might not be written yet****
>
> I'm thinking the node server takes the token from the web app request, and
> would hit an endpoint on the KC server to make sure that token is valid.
>
> If things go ok, then node server returns the data.
>
> I've seen the recent post on doing token introspection and abstracj was
> nice enough to make that into a gist,
> https://gist.github.com/abstractj/4cd2231a472069d8b6f63b4008c74061
>
> but this would also mean the web client access_type would need to be
> confidential(which i don't think is secure for a web app) to make a service
> account that the node server could use to do the token introspection.
>
> I was thinking of maybe creating a client also for the node server, but is
> it possible for 1 client to lookup/validate tokens from another client.
>
>
> Perhaps i'm thinking about this all wrong too, which is very possible.
>
> In this example there is only 1 node api server, but there could be
> multiple node/go/rust/<insert cool kid tech here> servers too
>
>
>
> Any guidance would be appreciated and sorry for the ramble
>
> -Luke
>
>
>
>
>
>
> [1]
> https://docs.google.com/drawings/d/1BngijxAV2j0rjz18P0XcXeY9CClCg1mwQhROYQ2iWtU/edit
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160429/f9fb94c0/attachment.html
More information about the keycloak-dev
mailing list