[keycloak-user] Get the user of the current request from the KeycloakSession?

Stian Thorgersen sthorger at redhat.com
Thu Dec 17 05:40:22 EST 2015 

There's no way to get the user from the KeycloakContext. Some endpoints
rely on bearer token for authentication (admin endpoints), some on the
server-side cookie (account) and others use a special code in the query
params (authentication flows).

Assuming you are creating a REST endpoint that requires authentication
using a bearer token you need to manually extract and verify the token.
This is how the admin endpoints does it:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java#L139

On 17 December 2015 at 10:06, Erik Mulder <erik.mulder at docdatapayments.com>
wrote:

> Thanks Fabricio, that sounds like the sort of thing I'm looking for, but I
> have nothing else in scope than the KeycloakSession object.
> @Bill: My question is independent from the changes of Pedro.
>
> So let's try it once more: how can I get the User(Model) of the
> authenticated user of the current request, if I just have a reference to
> the KeycloakSession? It seems to me that this should be possible, but there
> seems to be no way to do it. Maybe there should be a getUser() added on the
> KeycloakContext?
>
>
>
> On 16/12/15 22:40, Fabricio Milone wrote:
>
> Hi Erik,
>
> I did something similar but in my case I have the username as a form
> attribute in the request, so if it possible in your scenario to get the
> username as a string, this is one possible solution:
>
> UserModel user = session.users().getUserByUsername(*username*,
> session.realms().getRealmByName(realm.getName()));
>
> Not 100% sure if that's what you need, I hope it is :)
>
> Regards,
> Fab
>
> On 17 December 2015 at 02:34, Erik Mulder <erik.mulder at docdatapayments.com
> > wrote:
>
>> Thanks, but I'm not sure I understand you correctly. Let me clearify:
>> - I'm extending the Keycloak REST webservices with some custom
>> resources, for instance:
>> http://127.0.0.1:8080/auth/realms/<realmId>/docdata/<myResource> (a
>> piece of code from Pedro made this possible)
>> - I'm implementing an SPI (also from Pedro's change) that gets a
>> KeycloakSession object to 'work with'.
>> - I do authenticate on the keycloak server using a token (OpenID
>> Connect) that I got from a previous succesful login.
>> - Somewhere in the Keycloak internals this token is validated and a
>> User(Model/Session) is found that corresponds to this token.
>> - <assumption>: This User is saved somewhere in the session context
>>
>> Now, my question is: How can I get hold of this User(Model/Session),
>> given that I have just a KeycloakSession object?
>>
>> Through debugging I see that session.sessions() has a UserSessionEntity
>> for my current request, but since there might be more at the same time,
>> how can I relate my current request to the one User that is associated
>> with it?
>>
>>
>>
>> On 16/12/15 15:52, Bill Burke wrote:
>> > On 12/16/2015 9:37 AM, Erik Mulder wrote:
>> >> Seems like a simple scenario, but I can't figure it out: I have an
>> >> instance of the KeycloakSession and I want to get the UserModel for the
>> >> current request. Is this possible?
>> >>
>> >> Context: I'm creating a custom REST service that runs inside keycloak
>> >> and needs to get some data that is related to the current authenticated
>> >> user. For instance the realm and client I can get through the
>> >> session.getContext().getClient/Realm(). I would expect a getUser()
>> there
>> >> too, but I can't find it anywhere 'in' the session.
>> >>
>> >> If this isn't possible, shouldn't it be? Or if not, why not?
>> >>
>> > I'm assuming this REST request is from a browser Javascript client?
>> > Login sessions are maintained only through a cookie.  You'd have to
>> > login through the browser first, then read the cookie.
>> >
>> > BTW, cookies are a really bad way of securing a REST interface.  Your
>> > REST interface becomes vulnerable to CSRF attacks.  I suggest you use a
>> > token to secure your REST interface.  If you are already using
>> > keycloak.js to login in, you can obtain the token from the Keycloak
>> > javascript interface and use that to invoke your service.
>> >
>> >
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/979cb58f/attachment.html

More information about the keycloak-user mailing list