[keycloak-user] OpenID Connect discovery with Play Framework

Bill Burke bburke at redhat.com
Mon Sep 28 16:10:50 EDT 2015

We still need to make sure we're following the standard.  I think Stian 
is working on that.  Also, you need to make sure you're using SSL/HTTPS 
and that your client has a truststore set up for the .well-known 
endpoint.  Otherwise, you can't be guaranteed that the information you 
are getting (keys, endpoints, etc.) is valid.

On 9/28/2015 4:07 PM, Bruce Shaw wrote:
> Hello,
> I’m evaluating Keycloak as an identity provider for a few Play Framework projects using pac4j-play as the OpenID Connect client.
> There isn’t an adapter for Play so I thought I could leverage the discovery endpoint with my client to authenticate.  I wasn’t able to find any details on this in the documentation but after a little bit of digging I found the "well-known" uri that I configured with our client to authenticate successfully with our Keycloak instance.
> So because I couldn’t find much on this I was curious if this approach for authentication is recommended or supported.  Also, what is the difference in action between logging out with the “end_session_endpoint” provided by the discovery metadata versus the logout url in the documentation: “http://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri” ?
> thanks,
> Bruce
> ***NOTICE*** This e-mail and/or the attached documents may contain technical data within the definition of the International Traffic in Arms Regulations and/or Export Administration Regulations, and are subject to the export control laws of the U.S. Government.  Transfer of this data by any means to a foreign person, whether in the United States or abroad, without an export license or other approval from the U.S. Department of State or Commerce, as applicable, is prohibited.  No portion of this e-mail and/or correspondence its attachment(s) may be reproduced without written consent of Mainstream Engineering Corporation.  Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.
> This electronic message (including any attachments) contains information that is privileged, confidential, and proprietary. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this electronic message in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Although Mainstream Engineering Corporation has taken reasonable precautions to ensure no viruses are present in this email, Mainstream accepts no responsibility for any loss or damage arising from the use of this email or attachments.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-user mailing list