<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
So if I understand correctly, if the REST service is running in (for
instance) Tomcat, then I can use the standard Tomcat adapter to
protect it, but use:<br>
"bearer-only" : true<br>
as part of the configuration, as described here:<br>
<a class="moz-txt-link-freetext" href="http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config">http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config</a><br>
<br>
Also, regarding those options, its not clear to me what
public-client means. Does that mean that there is no authentication
at all? e.g. bypass keycloak completely?<br>
<br>
Tim<br>
<br>
<br>
<div class="moz-cite-prefix">On 06/01/2016 08:23, Stian Thorgersen
wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAdqrU1jKxOcefzsJV=A98Bza0oS=bhjUnn4E2JnkzuA_w@mail.gmail.com"
type="cite">
<p dir="ltr">The rest service doesn't check what client obtained
the token only the realm/signature and that it contains the
required roles.</p>
<div class="gmail_quote">On 5 Jan 2016 10:20, "Tim Dudgeon" <<a
moz-do-not-send="true" href="mailto:tdudgeon.ml@gmail.com"><a class="moz-txt-link-abbreviated" href="mailto:tdudgeon.ml@gmail.com">tdudgeon.ml@gmail.com</a></a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> On 05/01/2016 07:36,
Stian Thorgersen wrote:<br>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 1 January 2016 at 11:52,
Tim Dudgeon <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:tdudgeon.ml@gmail.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:tdudgeon.ml@gmail.com">tdudgeon.ml@gmail.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> The user
docs (<a moz-do-not-send="true"
href="http://keycloak.github.io/docs/userguide/keycloak-server/html/Overview.html#d4e54"
target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/Overview.html#d4e54</a>)
describe exactly what I'm looking for: <br>
<blockquote type="cite"> <span>Signed access
tokens can also be propagated by REST client
requests within an<span> </span></span><code
style="font-size:0.9em;font-family:courrier,monospace;white-space:nowrap;color:rgb(51,51,51);font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:18px;text-align:justify;text-indent:0px;text-transform:none;word-spacing:0px">Authorization</code><span><span> </span>header.
This is great for distributed integration as
applications can request a login from a
client to obtain an access token, then
invoke any aggregated REST invocations to
other services using that access token.</span></blockquote>
I have a web app (in Tomcat) that uses the
Keycloak adapter for user authentication.<br>
This web app needs to access a REST service,
running in a different Tomcat container and I
want the REST service to use the same user
authentication, but I'm not totally sure about
how to go about this.<br>
Do I just grab the keycloak token in the header
in the web app and add that as a header when
calling the REST service, and set the REST
service up to use the same Keycloak adapter
configuration as the web app?<br>
</div>
</blockquote>
<div><br>
</div>
<div>You could or you can get the token from the
adapter. Take a look at:</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48"
target="_blank">https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48</a><br>
</div>
</div>
</div>
</div>
</blockquote>
Thanks. That's useful.<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <br>
What if I want to have other ways to
authenticate the REST service (e.g. access from
multiple clients)?</div>
</blockquote>
<div><br>
</div>
<div>Not sure what you mean about this</div>
</div>
</div>
</div>
</blockquote>
<br>
For example, lets assume we have 2 apps, authenticating
against the same Keycloak realm, but as separate clients.<br>
Both hit the same REST service and pass through their token
to that service.<br>
How is the REST service to authenticate the requests?<br>
All it really needs to to is check that the tokens are valid
and come from the expected (keycloak) source, even though
the tokens were generated for different clients.<br>
Is there an adapter that handles this?<br>
<br>
Tim<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span><font
color="#888888"><br>
<br>
Tim<br>
<br>
<br>
<br>
<br>
</font></span></div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>