[keycloak-user] help with bearer + basic auth

Stian Thorgersen stian at redhat.com
Wed Jul 15 03:17:55 EDT 2015 

Have a look at basic-auth example, it's included in the examples dl.

----- Original Message -----
> From: "John Casey" <jdcasey at commonjava.org>
> To: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> Sent: Tuesday, 14 July, 2015 9:23:46 PM
> Subject: Re: [keycloak-user] help with bearer + basic auth
> 
> Well, when I use "enable-basic-auth" this works fine:
> 
> $ curl -u test -i http://localhost:8081/api/admin/remote
> Enter host password for user 'test':
> HTTP/1.1 200 OK
> ...
> 
> However, that configuration causes the UI use a 'code' query param and
> encounter 400 responses. In the keycloak server output I see:
> 
> 19:19:07,524 WARN  [org.keycloak.events] (default task-7)
> type=REFRESH_TOKEN_ERROR, realmId=master,
> clientId=security-admin-console, userId=null, ipAddress=127.0.0.1,
> error=invalid_token
> 
> I'm looking through the code keycloak uses to supply an authentication
> mechanism to undertow now, to hopefully come with a way to handle basic
> auth...maybe through a wrapper auth mech around keycloak?
> 
> Do you have any samples / hints I might be able to follow? I'll admit,
> this is the first time I've had to look this closely at servlet/web auth
> mechanisms.
> 
> 
> On 07/14/2015 11:16 AM, Bill Burke wrote:
> > IIRC, the basic auth switch is so that you can send the token via basic
> > auth rather than as bearer auth.  This is really only useful when you
> > can't use a keycloak adapter, but can implement a LoginModule or
> > something.  It has nothing to do with basic auth.
> >
> > On 7/14/2015 12:04 PM, John Casey wrote:
> >> On 07/14/2015 10:49 AM, Juraci Paixão Kröhling wrote:
> >>> On 07/14/2015 05:32 PM, John Casey wrote:
> >>>> ...but it doesn't seem to have a javascript UI or anything using bearer
> >>>> tokens to verify that it works that way.
> >>>
> >>> Not sure I understood your question, but removing the "bearer-only" and
> >>> adding "enable-basic-auth" should be enough to have your server adapter
> >>> to accept both bearer tokens and basic auth.
> >>>
> >>
> >> This is exactly what I'm trying to do. I've tried removing "bearer-only"
> >> and replaced it with "enable-basic-auth"...which has two effects:
> >>
> >> - basic auth via curl works (it didn't before the change)
> >>
> >> - the UI (using javascript adapter + bearer token) gets 400 Bad Request
> >>
> >>
> >> Are you using the javascript adapter to login for your UI, passing the
> >> bearer token to the server? I guess what I'm asking is if your
> >> application actually uses both methods (basic auth and bearer token)?
> >>
> >> I'm not sure how to filter my realm json to pare out the unnecessary
> >> stuff, but here's a gist containing the full file (it's on a test docker
> >> container, so no worries about security):
> >>
> >> https://gist.github.com/jdcasey/3f934fcd4967b99ebb05
> >>
> >
> 
> --
> John Casey
> ---
> GitHub:  https://github.com/jdcasey/
> Twitter: http://twitter.com/buildchimp
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list