[keycloak-user] Get the user of the current request from the KeycloakSession?
Fabricio Milone
fabricio.milone at shinetech.com
Wed Dec 16 16:40:39 EST 2015
Hi Erik,
I did something similar but in my case I have the username as a form
attribute in the request, so if it possible in your scenario to get the
username as a string, this is one possible solution:
UserModel user = session.users().getUserByUsername(*username*,
session.realms().getRealmByName(realm.getName()));
Not 100% sure if that's what you need, I hope it is :)
Regards,
Fab
On 17 December 2015 at 02:34, Erik Mulder <erik.mulder at docdatapayments.com>
wrote:
> Thanks, but I'm not sure I understand you correctly. Let me clearify:
> - I'm extending the Keycloak REST webservices with some custom
> resources, for instance:
> http://127.0.0.1:8080/auth/realms/<realmId>/docdata/<myResource> (a
> piece of code from Pedro made this possible)
> - I'm implementing an SPI (also from Pedro's change) that gets a
> KeycloakSession object to 'work with'.
> - I do authenticate on the keycloak server using a token (OpenID
> Connect) that I got from a previous succesful login.
> - Somewhere in the Keycloak internals this token is validated and a
> User(Model/Session) is found that corresponds to this token.
> - <assumption>: This User is saved somewhere in the session context
>
> Now, my question is: How can I get hold of this User(Model/Session),
> given that I have just a KeycloakSession object?
>
> Through debugging I see that session.sessions() has a UserSessionEntity
> for my current request, but since there might be more at the same time,
> how can I relate my current request to the one User that is associated
> with it?
>
>
>
> On 16/12/15 15:52, Bill Burke wrote:
> > On 12/16/2015 9:37 AM, Erik Mulder wrote:
> >> Seems like a simple scenario, but I can't figure it out: I have an
> >> instance of the KeycloakSession and I want to get the UserModel for the
> >> current request. Is this possible?
> >>
> >> Context: I'm creating a custom REST service that runs inside keycloak
> >> and needs to get some data that is related to the current authenticated
> >> user. For instance the realm and client I can get through the
> >> session.getContext().getClient/Realm(). I would expect a getUser() there
> >> too, but I can't find it anywhere 'in' the session.
> >>
> >> If this isn't possible, shouldn't it be? Or if not, why not?
> >>
> > I'm assuming this REST request is from a browser Javascript client?
> > Login sessions are maintained only through a cookie. You'd have to
> > login through the browser first, then read the cookie.
> >
> > BTW, cookies are a really bad way of securing a REST interface. Your
> > REST interface becomes vulnerable to CSRF attacks. I suggest you use a
> > token to secure your REST interface. If you are already using
> > keycloak.js to login in, you can obtain the token from the Keycloak
> > javascript interface and use that to invoke your service.
> >
> >
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/f20af2b0/attachment.html
More information about the keycloak-user
mailing list