[keycloak-user] propagating authentication to REST layer
Stian Thorgersen
sthorger at redhat.com
Fri Jan 8 10:47:55 EST 2016
On 8 January 2016 at 08:22, Tim Dudgeon <tdudgeon.ml at gmail.com> wrote:
> So if I understand correctly, if the REST service is running in (for
> instance) Tomcat, then I can use the standard Tomcat adapter to protect it,
> but use:
> "bearer-only" : true
> as part of the configuration, as described here:
>
> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config
>
Yes
>
>
> Also, regarding those options, its not clear to me what public-client
> means. Does that mean that there is no authentication at all? e.g. bypass
> keycloak completely?
>
Public is for "public" clients. For example HTML5 applications. They can't
use a secret to authenticate the client (as the secret would be publicly
available in either case) so they rely on redirect-uri instead.
>
>
> Tim
>
>
>
> On 06/01/2016 08:23, Stian Thorgersen wrote:
>
> The rest service doesn't check what client obtained the token only the
> realm/signature and that it contains the required roles.
> On 5 Jan 2016 10:20, "Tim Dudgeon" < <tdudgeon.ml at gmail.com>
> tdudgeon.ml at gmail.com> wrote:
>
>> On 05/01/2016 07:36, Stian Thorgersen wrote:
>>
>>
>>
>> On 1 January 2016 at 11:52, Tim Dudgeon < <tdudgeon.ml at gmail.com>
>> tdudgeon.ml at gmail.com> wrote:
>>
>>> The user docs (
>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/Overview.html#d4e54)
>>> describe exactly what I'm looking for:
>>>
>>> Signed access tokens can also be propagated by REST client requests
>>> within an Authorization header. This is great for distributed
>>> integration as applications can request a login from a client to obtain an
>>> access token, then invoke any aggregated REST invocations to other services
>>> using that access token.
>>>
>>> I have a web app (in Tomcat) that uses the Keycloak adapter for user
>>> authentication.
>>> This web app needs to access a REST service, running in a different
>>> Tomcat container and I want the REST service to use the same user
>>> authentication, but I'm not totally sure about how to go about this.
>>> Do I just grab the keycloak token in the header in the web app and add
>>> that as a header when calling the REST service, and set the REST service up
>>> to use the same Keycloak adapter configuration as the web app?
>>>
>>
>> You could or you can get the token from the adapter. Take a look at:
>>
>>
>> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48
>>
>> Thanks. That's useful.
>>
>>
>>
>>>
>>> What if I want to have other ways to authenticate the REST service (e.g.
>>> access from multiple clients)?
>>>
>>
>> Not sure what you mean about this
>>
>>
>> For example, lets assume we have 2 apps, authenticating against the same
>> Keycloak realm, but as separate clients.
>> Both hit the same REST service and pass through their token to that
>> service.
>> How is the REST service to authenticate the requests?
>> All it really needs to to is check that the tokens are valid and come
>> from the expected (keycloak) source, even though the tokens were generated
>> for different clients.
>> Is there an adapter that handles this?
>>
>> Tim
>>
>>
>>
>>>
>>>
>>> Tim
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160108/f1701bf6/attachment.html
More information about the keycloak-user
mailing list