[keycloak-user] Get the user of the current request from the KeycloakSession?
Erik Mulder
erik.mulder at docdatapayments.com
Wed Dec 16 10:34:19 EST 2015
Thanks, but I'm not sure I understand you correctly. Let me clearify:
- I'm extending the Keycloak REST webservices with some custom
resources, for instance:
http://127.0.0.1:8080/auth/realms/<realmId>/docdata/<myResource> (a
piece of code from Pedro made this possible)
- I'm implementing an SPI (also from Pedro's change) that gets a
KeycloakSession object to 'work with'.
- I do authenticate on the keycloak server using a token (OpenID
Connect) that I got from a previous succesful login.
- Somewhere in the Keycloak internals this token is validated and a
User(Model/Session) is found that corresponds to this token.
- <assumption>: This User is saved somewhere in the session context
Now, my question is: How can I get hold of this User(Model/Session),
given that I have just a KeycloakSession object?
Through debugging I see that session.sessions() has a UserSessionEntity
for my current request, but since there might be more at the same time,
how can I relate my current request to the one User that is associated
with it?
On 16/12/15 15:52, Bill Burke wrote:
> On 12/16/2015 9:37 AM, Erik Mulder wrote:
>> Seems like a simple scenario, but I can't figure it out: I have an
>> instance of the KeycloakSession and I want to get the UserModel for the
>> current request. Is this possible?
>>
>> Context: I'm creating a custom REST service that runs inside keycloak
>> and needs to get some data that is related to the current authenticated
>> user. For instance the realm and client I can get through the
>> session.getContext().getClient/Realm(). I would expect a getUser() there
>> too, but I can't find it anywhere 'in' the session.
>>
>> If this isn't possible, shouldn't it be? Or if not, why not?
>>
> I'm assuming this REST request is from a browser Javascript client?
> Login sessions are maintained only through a cookie. You'd have to
> login through the browser first, then read the cookie.
>
> BTW, cookies are a really bad way of securing a REST interface. Your
> REST interface becomes vulnerable to CSRF attacks. I suggest you use a
> token to secure your REST interface. If you are already using
> keycloak.js to login in, you can obtain the token from the Keycloak
> javascript interface and use that to invoke your service.
>
>
More information about the keycloak-user
mailing list