[keycloak-user] Recommendations for protecting REST service with bearer token and basic auth
bburke at redhat.com
Mon Nov 10 08:38:35 EST 2014
With basic auth, you have zero control over the client and you're
handing over credentials to that client. Simple and easy for "hello
world" apps sure.
On 11/10/2014 3:20 AM, Gary Brown wrote:
> Currently its for backward compatibility, maintaining the same simple authentication approach for existing clients using the REST services.
> However basic auth is a standard (and simple) approach, so I could see some cases where it would be preferred by app developers rather than accessing a keycloak specific service to obtain a token. One relevant case would be API management - if a backend service was protected by keycloak, I believe it would require a specific authentication module to obtain a token per request (unless the token could be cached somewhere).
> So I think having the basic auth support will provide flexibility.
> ----- Original Message -----
>> If you are using Keycloak, I don't understand why you would want to do
>> basic auth.
>> Eventually I'm going to write a JAAS plugin for simple username/password
>> with Keycloak, but I have other stuff in my queue at the moment. For
>> your application, you'd have to write something that obtained a admin
>> token and verified username password and downloaded role mappings.
>> On 11/7/2014 9:16 AM, Gary Brown wrote:
>>> I've just started looking at KeyCloak to use with the Overlord governance
>>> I have tried the examples, and see how we could leverage KeyCloak to
>>> protect the UI apps and the backend REST services they use. However we
>>> also need to provide the REST services as independent services using basic
>>> auth - but would like the basic auth to be performed against the users
>>> managed by KeyCloak.
>>> Is there any recommendations on how this can be achieved?
>>> Do we need to provide our own filter - is there any example code to do
>>> Is it possible to do something via the KeyCloak subsystem configuration
>>> approach, in case we wanted to secure the REST service without modifying
>>> the war?
>>> Thanks in advance.
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>> Bill Burke
>> JBoss, a division of Red Hat
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
JBoss, a division of Red Hat
More information about the keycloak-user