[keycloak-user] propagating authentication to REST layer
Tim Dudgeon
tdudgeon.ml at gmail.com
Fri Jan 8 02:22:01 EST 2016
So if I understand correctly, if the REST service is running in (for
instance) Tomcat, then I can use the standard Tomcat adapter to protect
it, but use:
"bearer-only" : true
as part of the configuration, as described here:
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config
Also, regarding those options, its not clear to me what public-client
means. Does that mean that there is no authentication at all? e.g.
bypass keycloak completely?
Tim
On 06/01/2016 08:23, Stian Thorgersen wrote:
>
> The rest service doesn't check what client obtained the token only the
> realm/signature and that it contains the required roles.
>
> On 5 Jan 2016 10:20, "Tim Dudgeon" <tdudgeon.ml at gmail.com
> <mailto:tdudgeon.ml at gmail.com>> wrote:
>
> On 05/01/2016 07:36, Stian Thorgersen wrote:
>>
>>
>> On 1 January 2016 at 11:52, Tim Dudgeon <tdudgeon.ml at gmail.com
>> <mailto:tdudgeon.ml at gmail.com>> wrote:
>>
>> The user docs
>> (http://keycloak.github.io/docs/userguide/keycloak-server/html/Overview.html#d4e54)
>> describe exactly what I'm looking for:
>>> Signed access tokens can also be propagated by REST client
>>> requests within an|Authorization|header. This is great for
>>> distributed integration as applications can request a login
>>> from a client to obtain an access token, then invoke any
>>> aggregated REST invocations to other services using that
>>> access token.
>> I have a web app (in Tomcat) that uses the Keycloak adapter
>> for user authentication.
>> This web app needs to access a REST service, running in a
>> different Tomcat container and I want the REST service to
>> use the same user authentication, but I'm not totally sure
>> about how to go about this.
>> Do I just grab the keycloak token in the header in the web
>> app and add that as a header when calling the REST service,
>> and set the REST service up to use the same Keycloak adapter
>> configuration as the web app?
>>
>>
>> You could or you can get the token from the adapter. Take a look at:
>>
>> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48
> Thanks. That's useful.
>
>>
>> What if I want to have other ways to authenticate the REST
>> service (e.g. access from multiple clients)?
>>
>>
>> Not sure what you mean about this
>
> For example, lets assume we have 2 apps, authenticating against
> the same Keycloak realm, but as separate clients.
> Both hit the same REST service and pass through their token to
> that service.
> How is the REST service to authenticate the requests?
> All it really needs to to is check that the tokens are valid and
> come from the expected (keycloak) source, even though the tokens
> were generated for different clients.
> Is there an adapter that handles this?
>
> Tim
>>
>>
>>
>> Tim
>>
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160108/cc3e8360/attachment.html
More information about the keycloak-user
mailing list