[keycloak-user] help with bearer + basic auth
jdcasey at commonjava.org
Thu Jul 16 12:50:23 EDT 2015
So, I've gone back to using this basic-auth translator to inject a
bearer token, after wrestling with it for a couple of days. It's
probably wrong (there's probably some way to do what I need to with
enable-basic-auth) but I'm out of time for now. I've marked the code
with some notes about the problems I'm seeing trying to do it the right
What I'm wondering now is if it'd be a massive security problem if I
injected a RESPONSE header with the token in it when the basic-auth
translator runs. This would enable my java client api to use basic auth
then save the bearer token and use that for future calls. It might save
a little bit in backend round-trips to the keycloak server.
But I don't want to open up a gaping security hole...
More information about the keycloak-user