[keycloak-user] help with bearer + basic auth
Juraci Paixão Kröhling
juraci at kroehling.de
Wed Jul 15 11:56:30 EDT 2015
It should *not* be needed. In Hawkular, we don't need to do anything
extra to get the backend adapter to accept bearer tokens *and* basic
authentication. I'd say that you are missing some configuration entry.
I'd recommend putting a breakpoint on those places and then following
the code:
http://git.io/vml9j
http://git.io/vmlXS
http://git.io/vm3Qj
- Juca.
On 07/15/2015 05:17 PM, John Casey wrote:
> Actually, that's where I started before I originally asked this list.
> From following the configuration examples there, and checking my realm
> configuration against that in the example, I was only able to setup ONE
> OR THE OTHER of the following cases (never both):
>
> - basic authentication worked on the REST server, when using curl as a
> client
>
> - the UI worked, using a bearer token (the javascript adapter was doing
> the actual sign-in)
>
> After taking Bill's advice to look at implementing another LoginModule,
> I came up with this:
>
> http://bit.ly/1CH4kdU
>
> This actually satisfies both cases by doing the BASIC -> Bearer
> translation on the server side, then passing it on to Keycloak's
> authentication mechanisms...but I'm not sure it's the most elegant solution.
>
> On 07/15/2015 02:17 AM, Stian Thorgersen wrote:
>> Have a look at basic-auth example, it's included in the examples dl.
>>
>> ----- Original Message -----
>>> From: "John Casey" <jdcasey at commonjava.org>
>>> To: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
>>> Sent: Tuesday, 14 July, 2015 9:23:46 PM
>>> Subject: Re: [keycloak-user] help with bearer + basic auth
>>>
>>> Well, when I use "enable-basic-auth" this works fine:
>>>
>>> $ curl -u test -i http://localhost:8081/api/admin/remote
>>> Enter host password for user 'test':
>>> HTTP/1.1 200 OK
>>> ...
>>>
>>> However, that configuration causes the UI use a 'code' query param and
>>> encounter 400 responses. In the keycloak server output I see:
>>>
>>> 19:19:07,524 WARN [org.keycloak.events] (default task-7)
>>> type=REFRESH_TOKEN_ERROR, realmId=master,
>>> clientId=security-admin-console, userId=null, ipAddress=127.0.0.1,
>>> error=invalid_token
>>>
>>> I'm looking through the code keycloak uses to supply an authentication
>>> mechanism to undertow now, to hopefully come with a way to handle basic
>>> auth...maybe through a wrapper auth mech around keycloak?
>>>
>>> Do you have any samples / hints I might be able to follow? I'll admit,
>>> this is the first time I've had to look this closely at servlet/web auth
>>> mechanisms.
>>>
>>>
>>> On 07/14/2015 11:16 AM, Bill Burke wrote:
>>>> IIRC, the basic auth switch is so that you can send the token via basic
>>>> auth rather than as bearer auth. This is really only useful when you
>>>> can't use a keycloak adapter, but can implement a LoginModule or
>>>> something. It has nothing to do with basic auth.
>>>>
>>>> On 7/14/2015 12:04 PM, John Casey wrote:
>>>>> On 07/14/2015 10:49 AM, Juraci Paixão Kröhling wrote:
>>>>>> On 07/14/2015 05:32 PM, John Casey wrote:
>>>>>>> ...but it doesn't seem to have a javascript UI or anything using bearer
>>>>>>> tokens to verify that it works that way.
>>>>>>
>>>>>> Not sure I understood your question, but removing the "bearer-only" and
>>>>>> adding "enable-basic-auth" should be enough to have your server adapter
>>>>>> to accept both bearer tokens and basic auth.
>>>>>>
>>>>>
>>>>> This is exactly what I'm trying to do. I've tried removing "bearer-only"
>>>>> and replaced it with "enable-basic-auth"...which has two effects:
>>>>>
>>>>> - basic auth via curl works (it didn't before the change)
>>>>>
>>>>> - the UI (using javascript adapter + bearer token) gets 400 Bad Request
>>>>>
>>>>>
>>>>> Are you using the javascript adapter to login for your UI, passing the
>>>>> bearer token to the server? I guess what I'm asking is if your
>>>>> application actually uses both methods (basic auth and bearer token)?
>>>>>
>>>>> I'm not sure how to filter my realm json to pare out the unnecessary
>>>>> stuff, but here's a gist containing the full file (it's on a test docker
>>>>> container, so no worries about security):
>>>>>
>>>>> https://gist.github.com/jdcasey/3f934fcd4967b99ebb05
>>>>>
>>>>
>>>
>>> --
>>> John Casey
>>> ---
>>> GitHub: https://github.com/jdcasey/
>>> Twitter: http://twitter.com/buildchimp
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>
More information about the keycloak-user
mailing list