[keycloak-user] propagating authentication to REST layer

Tim Dudgeon tdudgeon.ml at gmail.com
Tue Jan 5 04:19:33 EST 2016 

On 05/01/2016 07:36, Stian Thorgersen wrote:
>
>
> On 1 January 2016 at 11:52, Tim Dudgeon <tdudgeon.ml at gmail.com 
> <mailto:tdudgeon.ml at gmail.com>> wrote:
>
>     The user docs
>     (http://keycloak.github.io/docs/userguide/keycloak-server/html/Overview.html#d4e54)
>     describe exactly what I'm looking for:
>>     Signed access tokens can also be propagated by REST client
>>     requests within an|Authorization|header. This is great for
>>     distributed integration as applications can request a login from
>>     a client to obtain an access token, then invoke any aggregated
>>     REST invocations to other services using that access token.
>     I have a web app (in Tomcat) that uses the Keycloak adapter for
>     user authentication.
>     This web app needs to access a REST service, running in a
>     different Tomcat container and I want  the REST service to use the
>     same user authentication, but I'm not totally sure about how to go
>     about this.
>     Do I just grab the keycloak token in the header in the web app and
>     add that as a header when calling the REST service, and set the
>     REST service up to use the same Keycloak adapter configuration as
>     the web app?
>
>
> You could or you can get the token from the adapter. Take a look at:
>
> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48
Thanks. That's useful.

>
>     What if I want to have other ways to authenticate the REST service
>     (e.g. access from multiple clients)?
>
>
> Not sure what you mean about this

For example, lets assume we have 2 apps, authenticating against the same 
Keycloak realm, but as separate clients.
Both hit the same REST service and pass through their token to that service.
How is the REST service to authenticate the requests?
All it really needs to to is check that the tokens are valid and come 
from the expected (keycloak) source, even though the tokens were 
generated for different clients.
Is there an adapter that handles this?

Tim
>
>
>
>     Tim
>
>
>
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/f12c186a/attachment.html

More information about the keycloak-user mailing list