[keycloak-user] REST services supporting basic auth and bearer tokens
mposolda at redhat.com
Thu Nov 27 04:46:21 EST 2014
I am not 100% sure if having basic auth with direct grant directly in
our adapters is way to go. Probably yes as for your use-case it makes
sense, so I am slightly for push your change as PR. But maybe others
from team have different opinion.
Earlier this week I've added DirectAccessGrantsLoginModule to KC
codebase, which is quite similar and is intended to be used for non-web
applications (like SSH), which rely on JAAS. But I guess that using this
one is not good option for you as you want support for Basic and Bearer
authentication in same web application, right?
Few more minor points to your changes:
- Is it possible to use net.iharder.Base64 instead of
org.apache.commons.codec.binary.Base64? Whole KC code has dependency on
net.iharder, so would be likely better to use this one to avoid possible
dependency issues in adapters.
- Wonder if it's possible to simplify a bit, like have single
"completeAuthentication" method for both bearer and basic authenticator
(afaik only difference among them is different authMethod right?). But
this is really minor.
On 26.11.2014 14:54, Gary Brown wrote:
> Concrete use case - we have implemented the OASIS S-RAMP specification, in which it requires basic auth support (http://docs.oasis-open.org/s-ramp/s-ramp/v1.0/s-ramp-v1.0-part2-atom-binding.html section 5 "The S-RAMP Specification does not attempt to define a security model for products that implement it. For the Atom Binding, the only security requirement is that at a minimum, client and server implementations MUST be capable of being configured to use HTTP Basic Authentication in conjunction with a connection made with TLS.").
> However we also need the same service to support bearer token, for use within our KeyCloak SSO session.
> I've implemented a possible solution, details defined on https://issues.jboss.org/browse/KEYCLOAK-861.
> If this solution is on the right path, I would appreciate any feedback on any changes that might be required before submitting a PR. Currently there are no tests, but would aim to provide some with the PR.
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
More information about the keycloak-user