[keycloak-user] cxf filter

Nhut Thai Le ntle at castortech.com
Thu Aug 30 16:45:24 EDT 2018 

Hello,

I see the Keycloak client config supports autodetect-bearer-only so what I
want is

   1. a user tries to go to https://mysite.com/singlePageApp
   2. the application is configured to be protected by
   keycloakOIDCServletFilter (with autodetect-bearer-only=true) so it will
   redirect user to keycloak login page
   3. user enter credential and login
   4. KC server authenticates and redirects the user to
   https://mysite.com/singlePageApp with the KeycloakSecurityContext in the
   response header
   5. once user lands on the singlePageApp, a javascript code on the page
   send an ajax request to my REST endpoint at https://mysite.com/rest/items
   with Authorization: bearer $TOKEN (the $TOKEN is extracted form the
   KeycloakSecurityContext)
   6. the REST endpoint is configured to be protected by
   JaxrsBearerTokenFilter using the same keycloak.json file which validates
   the token and will returns data if the token is good

What i am missing is how to get the access token out of the
KeycloakSecurityContext in step 5 from my javascript.

Hope it is clearer than my previous email

Thai

On Tue, Aug 28, 2018 at 1:34 PM, Nhut Thai Le <ntle at castortech.com> wrote:

> Hi Dmitri,
>
> About the OIDC Servlet filter, i managed to build an osgi version of it so
> i'm ok for now :D
>
> Regarding the REST service, i think the bearer token is what I want,
> however, i'm not sure how the authentication flow works in this case. As I
> understand, to use bearer token, i need to create a client in keycloak
> server and set access type to bearer-only then when making the rest call, I
> need to provide the valid  "Authorization: Bearer XXX" header.
>
>    1. Where do I get this token ?
>    2. If the bearer token is valid, does keycloak adapter also put the
>    KeycloakSecurityContext with the username on the request sothat i can
>    extract it latter?
>    3. does keycloak have an OSGI jaxrs filter for REST service or I have
>    to implement my own? (https://osgi.org/specification/osgi.cmpn/7.0.0/
>    service.jaxrs.html#service.jaxrs.extension.services
>    <https://osgi.org/specification/osgi.cmpn/7.0.0/service.jaxrs.html#service.jaxrs.extension.services>
>    )
>
> Hope to get some insignt
>
> Thai
>
>
>
> On Mon, Aug 27, 2018 at 5:59 PM, Dmitry Telegin <dt at acutus.pro> wrote:
>
>> Hello Thai,
>>
>> Seems like you've been watching the OSGification PR attentively :)
>> I'm sorry we didn't make it for Keycloak 4.3.0. Should get included in
>> 4.4.0, hopefully.
>>
>> Just in case anyone else is interested:
>> PR for Keycloak OIDC servlet filter adapter OSGification
>> https://github.com/keycloak/keycloak/pull/5383
>> PR for the docs https://github.com/keycloak/ke
>> ycloak-documentation/pull/453
>> Built docs: https://keycloak-docs.github.io/deploy-docs-pullrequest/PR/4
>> 53/securing_apps/index.html#using-on-osgi
>>
>> As for your question, could you please elaborate? What are you trying
>> to achieve? For REST services, you should normally use bearer token
>> authorization. In this mode, the adapter would expect a valid token in
>> "Authorization: Bearer XXX" HTTP header, otherwise it would return
>> HTTP 401. Is this what you're after?
>>
>> Cheers,
>> Dmitry Telegin
>> CTO, Acutus s.r.o.
>> Keycloak Consulting and Training
>>
>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
>> +42 (022) 888-30-71
>> E-mail: info at acutus.pro
>>
>> On Mon, 2018-08-27 at 14:52 -0400, Nhut Thai Le wrote:
>> > Hello,
>> >
>> > I have a web app and a REST API running inside an OSGI environment.
>> >
>> > The web app has some servlets registered with the web container (jetty)
>> as
>> > OSGI whiteboard services. All of these servlets are configured to be
>> > protected (authentication required) by keycloak servlet filter.
>> >
>> > Dictionary<String, String> props;
>> > props = new Hashtable<>();
>> > props.put("alias", "/whiteboard");
>> > servletReg = context.registerService(Servlet.class, new
>> > WhiteboardServlet("/test"), props);
>> >
>> > Dictionary<String, Object> filterProps = new Hashtable<String,
>> Object>();
>> > String[] urls = { "/*" }; //$NON-NLS-1$
>> > filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_NAME,
>> > "keycloakFilter");
>> > filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_PATTERN,
>> > urls);
>> > keycloakFilter = context.registerService(Filter.class, new
>> > KeycloakOIDCFilter(), filterProps);
>> >
>> > The REST api is hosted by aries-jax-rs-whiteboard.
>> > @Component(
>> > immediate = true,
>> >     property = JAX_RS_APPLICATION_BASE + "=/rest",
>> >     service = Application.class
>> > )
>> > @Path("/common")
>> > public final class RestAPI extends Application {
>> > public static final Response EMPTY_RESPONSE =
>> > Response.noContent().type(MediaType.TEXT_HTML_TYPE).build();
>> > @Override
>> > public Set<Object> getSingletons() {
>> >   return Collections.singleton(this);
>> > }
>> >
>> > @GET
>> > @Path("/getObject")
>> > @Produces(MediaType.APPLICATION_JSON)
>> > public String getObject() {
>> > return "Rest call"; //$NON-NLS-1$
>> > }
>> > }
>> >
>> > The web app has some JS code executed on user browser that make an ajax
>> > call to the REST service above. Since this call happen after user has
>> been
>> > auithenticated with keycloak and originate from the same browser
>> session, I
>> > assume the ajax request also contains KeycloakSecurityContext. Thus this
>> > call should be allowed to reach the REST service. What I want is to
>> > register a filter (ContainerRequestFilter) to deny access to the REST
>> > service if user has not been authenticated.
>> > Is there an existing implementation of ContainerRequestFilter by
>> keycloak
>> > that can do this?
>> >
>> >
>> > Thai
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
> Castor Technologies Inc
> 460 rue St-Catherine St Ouest, Suite 613
> Montréal, Québec H3B-1A7
> (514) 360-7208 o
> (514) 798-2044 f
> ntle at castortech.com
> www.castortech.com
>
> CONFIDENTIALITY NOTICE: The information contained in this e-mail is
> confidential and may be proprietary information intended only for the use
> of the individual or entity to whom it is addressed. If the reader of this
> message is not the intended recipient, you are hereby notified that any
> viewing, dissemination, distribution, disclosure, copy or use of the
> information contained in this e-mail message is strictly prohibited. If you
> have received and/or are viewing this e-mail in error, please immediately
> notify the sender by reply e-mail, and delete it from your system without
> reading, forwarding, copying or saving in any manner. Thank you.
> AVIS DE CONFIDENTIALITE: L’information contenue dans ce message est
> confidentiel, peut être protégé par le secret professionnel et est réservé
> à l'usage exclusif du destinataire. Toute autre personne est par les
> présentes avisée qu'il lui est strictement interdit de diffuser, distribuer
> ou reproduire ce message. Si vous avez reçu cette communication par erreur,
> veuillez la détruire immédiatement et en aviser l'expéditeur. Merci.
>



-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montréal, Québec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L’information contenue dans ce message est
confidentiel, peut être protégé par le secret professionnel et est réservé
à l'usage exclusif du destinataire. Toute autre personne est par les
présentes avisée qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez reçu cette communication par erreur,
veuillez la détruire immédiatement et en aviser l'expéditeur. Merci.

More information about the keycloak-user mailing list