[keycloak-user] help with bearer + basic auth

John Casey jdcasey at commonjava.org
Wed Jul 15 11:17:46 EDT 2015 

Actually, that's where I started before I originally asked this list. 
 From following the configuration examples there, and checking my realm 
configuration against that in the example, I was only able to setup ONE 
OR THE OTHER of the following cases (never both):

- basic authentication worked on the REST server, when using curl as a 
client

- the UI worked, using a bearer token (the javascript adapter was doing 
the actual sign-in)

After taking Bill's advice to look at implementing another LoginModule, 
I came up with this:

http://bit.ly/1CH4kdU

This actually satisfies both cases by doing the BASIC -> Bearer 
translation on the server side, then passing it on to Keycloak's 
authentication mechanisms...but I'm not sure it's the most elegant solution.

On 07/15/2015 02:17 AM, Stian Thorgersen wrote:
> Have a look at basic-auth example, it's included in the examples dl.
>
> ----- Original Message -----
>> From: "John Casey" <jdcasey at commonjava.org>
>> To: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
>> Sent: Tuesday, 14 July, 2015 9:23:46 PM
>> Subject: Re: [keycloak-user] help with bearer + basic auth
>>
>> Well, when I use "enable-basic-auth" this works fine:
>>
>> $ curl -u test -i http://localhost:8081/api/admin/remote
>> Enter host password for user 'test':
>> HTTP/1.1 200 OK
>> ...
>>
>> However, that configuration causes the UI use a 'code' query param and
>> encounter 400 responses. In the keycloak server output I see:
>>
>> 19:19:07,524 WARN  [org.keycloak.events] (default task-7)
>> type=REFRESH_TOKEN_ERROR, realmId=master,
>> clientId=security-admin-console, userId=null, ipAddress=127.0.0.1,
>> error=invalid_token
>>
>> I'm looking through the code keycloak uses to supply an authentication
>> mechanism to undertow now, to hopefully come with a way to handle basic
>> auth...maybe through a wrapper auth mech around keycloak?
>>
>> Do you have any samples / hints I might be able to follow? I'll admit,
>> this is the first time I've had to look this closely at servlet/web auth
>> mechanisms.
>>
>>
>> On 07/14/2015 11:16 AM, Bill Burke wrote:
>>> IIRC, the basic auth switch is so that you can send the token via basic
>>> auth rather than as bearer auth.  This is really only useful when you
>>> can't use a keycloak adapter, but can implement a LoginModule or
>>> something.  It has nothing to do with basic auth.
>>>
>>> On 7/14/2015 12:04 PM, John Casey wrote:
>>>> On 07/14/2015 10:49 AM, Juraci Paixão Kröhling wrote:
>>>>> On 07/14/2015 05:32 PM, John Casey wrote:
>>>>>> ...but it doesn't seem to have a javascript UI or anything using bearer
>>>>>> tokens to verify that it works that way.
>>>>>
>>>>> Not sure I understood your question, but removing the "bearer-only" and
>>>>> adding "enable-basic-auth" should be enough to have your server adapter
>>>>> to accept both bearer tokens and basic auth.
>>>>>
>>>>
>>>> This is exactly what I'm trying to do. I've tried removing "bearer-only"
>>>> and replaced it with "enable-basic-auth"...which has two effects:
>>>>
>>>> - basic auth via curl works (it didn't before the change)
>>>>
>>>> - the UI (using javascript adapter + bearer token) gets 400 Bad Request
>>>>
>>>>
>>>> Are you using the javascript adapter to login for your UI, passing the
>>>> bearer token to the server? I guess what I'm asking is if your
>>>> application actually uses both methods (basic auth and bearer token)?
>>>>
>>>> I'm not sure how to filter my realm json to pare out the unnecessary
>>>> stuff, but here's a gist containing the full file (it's on a test docker
>>>> container, so no worries about security):
>>>>
>>>> https://gist.github.com/jdcasey/3f934fcd4967b99ebb05
>>>>
>>>
>>
>> --
>> John Casey
>> ---
>> GitHub:  https://github.com/jdcasey/
>> Twitter: http://twitter.com/buildchimp
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>

-- 
John Casey
---
GitHub:  https://github.com/jdcasey/
Twitter: http://twitter.com/buildchimp

More information about the keycloak-user mailing list