[keycloak-user] Best way to get subject without adding it as request parameter in cross domain back end REST service
Bill Burke
bburke at redhat.com
Mon Dec 22 10:25:57 EST 2014
So, with Bearer token auth, the KeycloakSecurityContext is null? Or it
doesn't have any information?
On 12/18/2014 2:59 PM, Dean Peterson wrote:
> I am able to use a bearer token to call a java REST service from a pure
> javascript client. Unfortunately the KeycloakSecurityContext is
> essentially empty on the back end. I need to filter and update data by
> subject (idToken.subject) Initially I setup my back end REST
> application as a bearer token only application; thinking that was the
> problem, I switched to a confidential back end application but the
> KeycloakSecurityContext is still not populated. In order to communicate
> with the service in a cross domain way, I still need to send a bearer
> token, regardless of the type of application. I can get the subject in
> javascript and add it to the list of request parameters, however, it
> seems that leaves me open to anyone with a valid token being able to
> request another user's data. What is the best way to handle this kind
> of situation using Keycloak?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list