[keycloak-user] Best way to get subject without adding it as request parameter in cross domain back end REST service
Dean Peterson
peterson.dean at gmail.com
Fri Dec 19 17:05:20 EST 2014
Actually, I see it's session.getToken().getSubject();
On Fri, Dec 19, 2014 at 1:07 PM, Dean Peterson <peterson.dean at gmail.com>
wrote:
> Ok I found the answer by reading the question just above mine: "Obtaining
> the username from the security context". I did not realize that
> session.getToken() contained the information I need. I was checking in
> session.getIdToken().
>
> On Thu, Dec 18, 2014 at 1:59 PM, Dean Peterson <peterson.dean at gmail.com>
> wrote:
>
>> I am able to use a bearer token to call a java REST service from a pure
>> javascript client. Unfortunately the KeycloakSecurityContext is
>> essentially empty on the back end. I need to filter and update data by
>> subject (idToken.subject) Initially I setup my back end REST application
>> as a bearer token only application; thinking that was the problem, I
>> switched to a confidential back end application but the
>> KeycloakSecurityContext is still not populated. In order to communicate
>> with the service in a cross domain way, I still need to send a bearer
>> token, regardless of the type of application. I can get the subject in
>> javascript and add it to the list of request parameters, however, it seems
>> that leaves me open to anyone with a valid token being able to request
>> another user's data. What is the best way to handle this kind of situation
>> using Keycloak?
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141219/5fa66c93/attachment.html
More information about the keycloak-user
mailing list