[keycloak-user] help with bearer + basic auth

John Casey jdcasey at commonjava.org
Thu Jul 16 12:50:23 EDT 2015

So, I've gone back to using this basic-auth translator to inject a 
bearer token, after wrestling with it for a couple of days. It's 
probably wrong (there's probably some way to do what I need to with 
enable-basic-auth) but I'm out of time for now. I've marked the code 
with some notes about the problems I'm seeing trying to do it the right 

What I'm wondering now is if it'd be a massive security problem if I 
injected a RESPONSE header with the token in it when the basic-auth 
translator runs. This would enable my java client api to use basic auth 
then save the bearer token and use that for future calls. It might save 
a little bit in backend round-trips to the keycloak server.

But I don't want to open up a gaping security hole...



John Casey
GitHub:  https://github.com/jdcasey/
Twitter: http://twitter.com/buildchimp

More information about the keycloak-user mailing list