[keycloak-user] Best way to get subject without adding it as request parameter in cross domain back end REST service

Dean Peterson peterson.dean at gmail.com
Fri Dec 19 17:05:20 EST 2014

Actually, I see it's session.getToken().getSubject();

On Fri, Dec 19, 2014 at 1:07 PM, Dean Peterson <peterson.dean at gmail.com>

> Ok I found the answer by reading the question just above mine: "Obtaining
> the username from the security context".  I did not realize that
> session.getToken() contained the information I need.  I was checking in
> session.getIdToken().
> On Thu, Dec 18, 2014 at 1:59 PM, Dean Peterson <peterson.dean at gmail.com>
> wrote:
>> I am able to use a bearer token to call a java REST service from a pure
>> javascript client.  Unfortunately the KeycloakSecurityContext is
>> essentially empty on the back end.  I need to filter and update data by
>> subject (idToken.subject)  Initially I setup my back end REST application
>> as a bearer token only application; thinking that was the problem, I
>> switched to a confidential back end application but the
>> KeycloakSecurityContext is still not populated.  In order to communicate
>> with the service in a cross domain way, I still need to send a bearer
>> token, regardless of the type of application.  I can get the subject in
>> javascript and add it to the list of request parameters, however, it seems
>> that leaves me open to anyone with a valid token being able to request
>> another user's data.  What is the best way to handle this kind of situation
>> using Keycloak?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141219/5fa66c93/attachment.html 

More information about the keycloak-user mailing list