<div dir="ltr">Hi Marek,<div>I started thinking to a public REST API because I want to offer this service also to third parties, but I see your point.</div><div>I must organize in a different way the authentication of my frontend and then the authentication of third parties.</div>
<div><br></div><div>Thank for your suggestions are very welcome.</div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div>--</div>Davide</div>
<br><br><div class="gmail_quote">On Tue, Apr 15, 2014 at 11:28 AM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hi Davide,<br>
<br>
I would suggest to change your flow a bit. You have frontend JEE
servlet application, which is authenticated with Keycloak. So I
think that you don't need any Keycloak accessTokens to be shared
with your AngularJS dashboard at all. I would suggest that your
AngularJS dashboard won't communicate directly with your JAX-RS
backend application, but instead it will communicate just with
your servlet JEE application, which will then re-send request to
JAX-RS application with the usage of KeycloakSecurityContext as
shown in the customer-portal example. So assuming that your
frontend application is on <br>
<a href="http://localhost:8080/frontend" target="_blank">"http://localhost:8080/frontend"</a> and your JAX-RS is at
<a href="http://localhost:8080/backend" target="_blank">"http://localhost:8080/backend"</a> you can do:<br>
<pre style>1- The user call <a href="http://.../frontend" target="_blank">http://.../frontend</a></pre><div class="">
<pre style>2- TheĀ <span style="font-family:arial">frontend </span><span style="font-family:arial">server redirects to the keycloak login</span></pre>
<pre style>3- Keycloak authenticates the user and redirects to frontend <span style="font-family:arial">server</span></pre>
</div><pre style>4- The frontend server serves the AngularJS dashboard but NOT injecting the token (So angularJS and your browser don't have direct access to token at all)
5- User clicks to something in AngularJS app, which will send request to <a href="http://localhost:8080/frontend/someEndpoint" target="_blank">http://localhost:8080/frontend/someEndpoint</a>
6- Frontend will re-send this to <a href="http://localhost:8080/backend/someBackendEndpoint" target="_blank">http://localhost:8080/backend/someBackendEndpoint</a> similarly as shown in examples, which will ensure that frontend application will attach Bearer token to the request
7- After backend request is done and received in "frontend" app, it will resend it back to AngularJS with all the data.
So your frontend app will be defacto proxy between AngularJS and "backend" JAX-RS application. With this design, you won't see any CORS related issues, which you currently have. And also you won't need to solve things like
refreshing tokens etc. as this is done automatically by adapter of JEE frontend application. So that's my suggestion.
Marek
</pre><div><div class="h5">
<br>
<br>
On 15.4.2014 01:43, Davide Ungari wrote:<br>
</div></div></div>
<blockquote type="cite"><div><div class="h5">
<div dir="ltr">
<pre style>Hi Bill,
<span style="font-family:arial">it's a mixed approach, maybe this is confusing you.</span></pre>
<pre style>> I don't understand what the flow is below. In your flow above you said
> your server is making a call to the backend service with the token and
> is authenticated correctly, right?</pre>
<pre style>My frontend is a WAR running on Tomcat and i<span style="font-family:arial">t is secured by keycloak.</span></pre>
<pre style><span style="font-family:arial">> What I don't understand is what you are doing below. Are you saying you
</span><span style="font-family:arial">> have a Browser client (Javascript) making a call to your backend?</span></pre>
<pre style>The WAR serves also an AngularJS dashboard, in this dashboard I "inject" the token from the server but then I make client side calls.</pre>
<pre style>The flow is:</pre>
<pre style>1- The user call <a href="http://.../dashboard" target="_blank">http://.../dashboard</a></pre>
<pre style>2- TheĀ <span style="font-family:arial">frontend </span><span style="font-family:arial">server redirects to the keycloak login</span></pre>
<pre style>3- Keycloak authenticates the user and redirects to frontend <span style="font-family:arial">server</span></pre>
<pre style>4- The frontend server serves the AngularJS dashboard injecting the token</pre>
<pre style>5- The client side dashboard makes ajax calls to the backend to load data</pre>
<pre style>At point 5 I see my backend is logging that the call is AUTHENTICATED but on client side I see the response is failing.</pre>
<pre style></pre>
<div>
<div>--</div>
Davide</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><div class=""><pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</div></blockquote>
<br>
</div>
</blockquote></div><br></div>