<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix"><i>> There's no way to get the user
from the KeycloakContext.</i><i><br>
</i><br>
Thanks for your clear answer. Digging through the sources I
gradually concluded something along those lines.<br>
<br>
The way I will solve this is to add the AdminAuth object to the
RealmAdminResourceProviderFactory.create() (the admin REST service
extension). The AdminAuth already contains all relevant data
(realm, token, user, client) and is available at the point where
my custom REST service is called. I'll make a PR of this later for
anyone to be able to extend the Keycloak REST services.<br>
<br>
<br>
On 17/12/15 11:40, Stian Thorgersen wrote:<br>
</div>
<blockquote cite="mid:CAJgngAf2TvrZ_XcZMVfHio+t-irUhGizZhO20Fsd=MLgmhg6-Q@mail.gmail.com" type="cite">
<div dir="ltr">There's no way to get the user from the
KeycloakContext. Some endpoints rely on bearer token for
authentication (admin endpoints), some on the server-side cookie
(account) and others use a special code in the query params
(authentication flows).
<div><br>
</div>
<div>Assuming you are creating a REST endpoint that requires
authentication using a bearer token you need to manually
extract and verify the token. This is how the admin endpoints
does it:</div>
<div><a moz-do-not-send="true" href="https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java#L139">https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java#L139</a><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 17 December 2015 at 10:06, Erik
Mulder <span dir="ltr"><<a moz-do-not-send="true" href="mailto:erik.mulder@docdatapayments.com" target="_blank">erik.mulder@docdatapayments.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Thanks Fabricio, that sounds like the sort of thing
I'm looking for, but I have nothing else in scope than
the KeycloakSession object.<br>
@Bill: My question is independent from the changes of
Pedro.<br>
<br>
So let's try it once more: how can I get the User(Model)
of the authenticated user of the current request, if I
just have a reference to the KeycloakSession? It seems
to me that this should be possible, but there seems to
be no way to do it. Maybe there should be a getUser()
added on the KeycloakContext?
<div>
<div class="h5"><br>
<br>
<br>
On 16/12/15 22:40, Fabricio Milone wrote:<br>
</div>
</div>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<div dir="ltr">Hi Erik,
<div><br>
</div>
<div>I did something similar but in my case I have
the username as a form attribute in the request,
so if it possible in your scenario to get the
username as a string, this is one possible
solution:</div>
<div><br>
</div>
UserModel user =
session.users().getUserByUsername(<b>username</b>,
session.realms().getRealmByName(realm.getName()));<br>
<div><br>
</div>
<div>Not 100% sure if that's what you need, I hope
it is :)</div>
<div><br>
</div>
<div>Regards,</div>
<div>Fab</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 17 December 2015 at
02:34, Erik Mulder <span dir="ltr"><<a moz-do-not-send="true" href="mailto:erik.mulder@docdatapayments.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:erik.mulder@docdatapayments.com">erik.mulder@docdatapayments.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">Thanks, but I'm not
sure I understand you correctly. Let me
clearify:<br>
- I'm extending the Keycloak REST webservices
with some custom<br>
resources, for instance:<br>
<a moz-do-not-send="true" href="http://127.0.0.1:8080/auth/realms/" rel="noreferrer" target="_blank">http://127.0.0.1:8080/auth/realms/</a><realmId>/docdata/<myResource>
(a<br>
piece of code from Pedro made this possible)<br>
- I'm implementing an SPI (also from Pedro's
change) that gets a<br>
KeycloakSession object to 'work with'.<br>
- I do authenticate on the keycloak server
using a token (OpenID<br>
Connect) that I got from a previous succesful
login.<br>
- Somewhere in the Keycloak internals this
token is validated and a<br>
User(Model/Session) is found that corresponds
to this token.<br>
- <assumption>: This User is saved
somewhere in the session context<br>
<br>
Now, my question is: How can I get hold of
this User(Model/Session),<br>
given that I have just a KeycloakSession
object?<br>
<br>
Through debugging I see that
session.sessions() has a UserSessionEntity<br>
for my current request, but since there might
be more at the same time,<br>
how can I relate my current request to the one
User that is associated<br>
with it?<br>
<span><br>
<br>
<br>
On 16/12/15 15:52, Bill Burke wrote:<br>
> On 12/16/2015 9:37 AM, Erik Mulder
wrote:<br>
>> Seems like a simple scenario, but I
can't figure it out: I have an<br>
>> instance of the KeycloakSession and
I want to get the UserModel for the<br>
>> current request. Is this possible?<br>
>><br>
>> Context: I'm creating a custom REST
service that runs inside keycloak<br>
>> and needs to get some data that is
related to the current authenticated<br>
>> user. For instance the realm and
client I can get through the<br>
>>
session.getContext().getClient/Realm(). I
would expect a getUser() there<br>
>> too, but I can't find it anywhere
'in' the session.<br>
>><br>
>> If this isn't possible, shouldn't
it be? Or if not, why not?<br>
>><br>
> I'm assuming this REST request is from
a browser Javascript client?<br>
> Login sessions are maintained only
through a cookie. You'd have to<br>
> login through the browser first, then
read the cookie.<br>
><br>
> BTW, cookies are a really bad way of
securing a REST interface. Your<br>
> REST interface becomes vulnerable to
CSRF attacks. I suggest you use a<br>
> token to secure your REST interface.
If you are already using<br>
> keycloak.js to login in, you can obtain
the token from the Keycloak<br>
> javascript interface and use that to
invoke your service.<br>
><br>
><br>
<br>
<br>
</span>
<div>
<div>_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>