[keycloak-user] Get the user of the current request from the KeycloakSession?

Thu Dec 17 08:44:51 EST 2015

> There's no way to get the user from the KeycloakContext.

Thanks for your clear answer. Digging through the sources I gradually concluded something along those lines.

The way I will solve this is to add the AdminAuth object to the RealmAdminResourceProviderFactory.create() (the admin REST service extension). The AdminAuth already contains all relevant data (realm, token, user, client) and is available at the point where my custom REST service is called. I'll make a PR of this later for anyone to be able to extend the Keycloak REST services.

On 17/12/15 11:40, Stian Thorgersen wrote:
There's no way to get the user from the KeycloakContext. Some endpoints rely on bearer token for authentication (admin endpoints), some on the server-side cookie (account) and others use a special code in the query params (authentication flows).

Assuming you are creating a REST endpoint that requires authentication using a bearer token you need to manually extract and verify the token. This is how the admin endpoints does it:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java#L139

On 17 December 2015 at 10:06, Erik Mulder <erik.mulder at docdatapayments.com<mailto:erik.mulder at docdatapayments.com>> wrote:
Thanks Fabricio, that sounds like the sort of thing I'm looking for, but I have nothing else in scope than the KeycloakSession object.
@Bill: My question is independent from the changes of Pedro.

So let's try it once more: how can I get the User(Model) of the authenticated user of the current request, if I just have a reference to the KeycloakSession? It seems to me that this should be possible, but there seems to be no way to do it. Maybe there should be a getUser() added on the KeycloakContext?

On 16/12/15 22:40, Fabricio Milone wrote:
Hi Erik,

I did something similar but in my case I have the username as a form attribute in the request, so if it possible in your scenario to get the username as a string, this is one possible solution:

UserModel user = session.users().getUserByUsername(username, session.realms().getRealmByName(realm.getName()));

Not 100% sure if that's what you need, I hope it is :)

Regards,
Fab

On 17 December 2015 at 02:34, Erik Mulder <<mailto:erik.mulder at docdatapayments.com>erik.mulder at docdatapayments.com<mailto:erik.mulder at docdatapayments.com>> wrote:
Thanks, but I'm not sure I understand you correctly. Let me clearify:
- I'm extending the Keycloak REST webservices with some custom
resources, for instance:
http://127.0.0.1:8080/auth/realms/<realmId>/docdata/<myResource> (a
piece of code from Pedro made this possible)
- I'm implementing an SPI (also from Pedro's change) that gets a
KeycloakSession object to 'work with'.
- I do authenticate on the keycloak server using a token (OpenID
Connect) that I got from a previous succesful login.
- Somewhere in the Keycloak internals this token is validated and a
User(Model/Session) is found that corresponds to this token.
- <assumption>: This User is saved somewhere in the session context

Now, my question is: How can I get hold of this User(Model/Session),
given that I have just a KeycloakSession object?

Through debugging I see that session.sessions() has a UserSessionEntity
for my current request, but since there might be more at the same time,
how can I relate my current request to the one User that is associated
with it?

On 16/12/15 15:52, Bill Burke wrote:
> On 12/16/2015 9:37 AM, Erik Mulder wrote:
>> Seems like a simple scenario, but I can't figure it out: I have an
>> instance of the KeycloakSession and I want to get the UserModel for the
>> current request. Is this possible?
>>
>> Context: I'm creating a custom REST service that runs inside keycloak
>> and needs to get some data that is related to the current authenticated
>> user. For instance the realm and client I can get through the
>> session.getContext().getClient/Realm(). I would expect a getUser() there
>> too, but I can't find it anywhere 'in' the session.
>>
>> If this isn't possible, shouldn't it be? Or if not, why not?
>>
> I'm assuming this REST request is from a browser Javascript client?
> Login sessions are maintained only through a cookie.  You'd have to
> login through the browser first, then read the cookie.
>
> BTW, cookies are a really bad way of securing a REST interface.  Your
> REST interface becomes vulnerable to CSRF attacks.  I suggest you use a
> token to secure your REST interface.  If you are already using
> keycloak.js to login in, you can obtain the token from the Keycloak
> javascript interface and use that to invoke your service.
>
>

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/8f76171d/attachment-0001.html 