<div dir="ltr">Hey guys,<div><br></div><div>I just looked at the login mechanism and the communication between the admin console and the backend in the alpha 2 release again. If I'm not mistaken, you used to use HTTP-only for the <span style="color:rgb(48,57,66);font-family:Menlo,monospace;font-size:11px;white-space:pre-wrap">KEYCLOAK_SAAS_IDENTITY </span>cookie. Did something change about that in alpha 2? When I look at the HTTP requests in the chrome developer console, I don't see the HttpOnly flag anywhere.</div>
<div><br></div><div>Cheers,</div><div>Nils</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jan 30, 2014 at 5:23 PM, Stian Thorgersen <span dir="ltr"><<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5"><br>
<br>
----- Original Message -----<br>
> From: "Bill Burke" <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>><br>
> To: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> Sent: Thursday, 30 January, 2014 3:46:52 PM<br>
> Subject: Re: [keycloak-user] Keycloak and OAuth 2.0 Resource Owner Password Credentials Grant<br>
><br>
><br>
><br>
> On 1/30/2014 9:29 AM, Nils Preusker wrote:<br>
> > Hey Bill, thanks for the clarification, I didn't realize that the cookie<br>
> > was Http-only, neat!<br>
> ><br>
> > We are building a pure HTML5 client that is also hosted separately from<br>
> > the REST-backends. The thing is that we use a reverse proxy so for the<br>
> > browser it all looks like one app since everything comes from different<br>
> > paths in the same domain.<br>
> ><br>
> > I'll try to clarify the last part of my last mail: We are currently<br>
> > using org.jboss.resteasy.skeleton.key.as7.OAuthAuthenticationServerValve<br>
> > (skeleton-key-as7) in our REST-backend modules. If I'm not mistaken,<br>
> > some parts of the code base and concepts are the same as in keycloak,<br>
> > right?<br>
> ><br>
> > So far, in the AngularJS application we've been adding bearer tokens to<br>
> > the HTTP Authorization header. Since the backend uses JAX-RS/ RestEasy,<br>
> > the verification of the bearer tokens was done transparently by<br>
> > OAuthAuthenticationServerValve and RESTEasy automatically added the<br>
> > roles etc. to the HttpServletRequest. Now in the REST backend of the<br>
> > admin app in keycloak you're doing the same thing (validating the tokens<br>
> > and extracting the roles) manually with the AuthenticationManager<br>
> > (authenticateSaasIdentityCookie(...)). So I was just wondering whether<br>
> > you are planning to make that process more transparent in the future?<br>
> ><br>
><br>
> We're doing it manually because the original idea was that the admin<br>
> service could manage multiple organizations (a SaaS), so you'd have to<br>
> set up the cookie path's correctly.<br>
><br>
> For your app, it sounds like @RolesAllowed will work. You just have to<br>
> set up the appropriate web.xml security constraints for your REST urls<br>
> in web.xml. Just set up the REST apis to require authentication and let<br>
> @RolesAllowed do the rest. The keycloak jboss/wildfly adapter can<br>
> handle BEARER token auth at the same time as regular browser oauth. If<br>
> the server is initiating the login, then you can just follow the current<br>
> keycloak examples. If not, then the Javascript lib Stian wrote is an<br>
> option (and something we'll have to document).<br>
<br>
</div></div>JS lib needs a bit of work as well, if it's something you want I can make it a priority<br>
<div class="HOEnZb"><div class="h5"><br>
><br>
><br>
><br>
> --<br>
> Bill Burke<br>
> JBoss, a division of Red Hat<br>
> <a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</div></div></blockquote></div><br></div>