[keycloak-dev] (no subject)

Bruno Oliveira bruno at abstractj.org
Fri Apr 29 15:57:20 EDT 2016 

Luke, I believe this is what you're trying to achieve:


     +--------+                               +---------------+
     |        |--(A)- Authorization Request ->|   Resource    |
     |        |                               |     Owner     |
     |        |<-(B)-- Authorization Grant ---|               |
     |        |                               +---------------+
     |        |
     |        |                               +---------------+
     |        |--(C)-- Authorization Grant -->| Authorization |
     | Client |                               |     Server    |
     |        |<-(D)----- Access Token -------|               |
     |        |                               +---------------+
     |        |
     |        |                               +---------------+
     |        |--(E)----- Access Token ------>|    Resource   |
     |        |                               |     Server    |
     |        |<-(F)--- Protected Resource ---|               |
     +--------+                               +---------------+
Taken from: https://tools.ietf.org/html/rfc6750

If yes, I believe Sebi's examples cover your scenario.
(I didn't have the chance to try Sebi's example)


On 2016-04-29, Luke Holmquist wrote:
> On Fri, Apr 29, 2016 at 2:23 PM, Sebastien Blanc <sblanc at redhat.com> wrote:
>
> > Hi Luke !
> >
> >
> > I might be wrong but I think I have the exact demo working of what you
> > describe :
> >
> > 1. the standalone webapp client :
> > https://github.com/sebastienblanc/devoxxfr/tree/master/angular-client ,
> > you can run it with "grunt serve"
> > 2. the nodejs service :
> > https://github.com/sebastienblanc/devoxxfr/tree/master/nodejs-service ,
> > run it with "npm start"
> > 3. external keycloak server running
> >
> >
> > I did not need to define any confidential client, the trick is to use
> > "bearer-only" for the nodejs service, take a look at my sample realm :
> > https://github.com/sebastienblanc/devoxxfr/blob/master/devoxxrealm.json
> >
> > i also see another realm file inside the nodejs-service directory,  is
> that for something else.  looks like it would be if you were "logging in"
> to the node server
>
>
> > And sorry if I was completly aside what you meant.
> >
> > Sebi
> >
> >
> > On Fri, Apr 29, 2016 at 7:09 PM, Luke Holmquist <lholmqui at redhat.com>
> > wrote:
> >
> >> I have a use case, that i think could be pretty common,  but i'm not
> >> entirely sure how to setup it up.
> >>
> >> The following is a little bit of a thought dump, so pardon me if i ramble
> >> a little bit.
> >>
> >>
> >> There are i think 3 components involved here:
> >>
> >> 1. a pure HTML/JS web app
> >>
> >> 2. A node.js REST  API server
> >>
> >> 3. Keycloak server
> >>
> >>
> >> The app in this case, would not be served by the node server or the KC
> >> server(wildfly), but with something like nginx(or even something like
> >> 'python simpleHTTPServer')
> >>
> >> Basically the flow would be something like this[1]:
> >>
> >> The web app, using the js adapter, authenticates against the KC server.
> >>
> >>  Now the web app would like to call the node API server(a restricted
> >> endpoint) to get some data
> >>
> >> The web app probably adds the token stuff that it got from KC during it;s
> >> login to the request to the node server
> >>
> >> ***This next part is where i'm getting a little confused, i'm aware that
> >> code to do this might not be written yet****
> >>
> >> I'm thinking the node server takes the token from the web app request,
> >> and would hit an endpoint on the KC server to make sure that token is
> >> valid.
> >>
> >> If things go ok, then node server returns the data.
> >>
> >> I've seen the recent post on doing token introspection and abstracj was
> >> nice enough to make that into a gist,
> >> https://gist.github.com/abstractj/4cd2231a472069d8b6f63b4008c74061
> >>
> >> but this would also mean the web client access_type would need to be
> >> confidential(which i don't think is secure for a web app) to make a service
> >> account that the node server could use to do the token introspection.
> >>
> >> I was thinking of maybe creating a client also for the node server, but
> >> is it possible for 1 client to lookup/validate tokens from another client.
> >>
> >>
> >> Perhaps i'm thinking about this all wrong too, which is very possible.
> >>
> >> In this example there is only 1 node api server,  but there could be
> >> multiple node/go/rust/<insert cool kid tech here> servers too
> >>
> >>
> >>
> >> Any guidance would be appreciated and sorry for the ramble
> >>
> >> -Luke
> >>
> >>
> >>
> >>
> >>
> >>
> >> [1]
> >> https://docs.google.com/drawings/d/1BngijxAV2j0rjz18P0XcXeY9CClCg1mwQhROYQ2iWtU/edit
> >>
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> >
> >

> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev


--

abstractj
PGP: 0x84DC9914

More information about the keycloak-dev mailing list