[keycloak-user] how to implement SSO among services with Keycloak

Marek Posolda mposolda at redhat.com
Fri Feb 13 05:33:29 EST 2015


Keycloak can serve this use-case pretty well. Once you authenticate 
application1 with Keycloak, you will receive accessToken for this 
application. This accessToken can then be used to invoke other HTTP 
services (like "application2") and retrieve data from them. You just 
need to send the obtained accessToken in Authorization header in format 
like "Authorization: Bearer your-token".

Also if your application "application2" is used just as "container of 
REST data" for other applications and never accessed directly by user 
from his browser, you can configure at as "bearer-only" in keycloak 
admin console and in keycloak.json of this application.

We have examples exactly for this usecase: "customer-service" uses 
accessToken to invoke bearer-only application "database-service" and 
obtain data from it. See code here: 
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L56 


Marek

On 12.2.2015 21:24, Kevin Chen wrote:
> In our environment, we will have multiple JBOSS instance that will host different services, they will use the same Keycloak server for authentication.
>
> One of the requirement for us is once an user is authenticated with one service, and if that service need invoke another service running in a different JBOSS instance, user should not be asked to logged in again.
> How can we obtain a new token and pass it to the next hop?
>
> Thanks
> Kevin
>
> ----------------------------------------------------------------------
> This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient.  Any review, use, distribution, or disclosure by others is strictly prohibited.  If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list