<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 8 January 2016 at 08:22, Tim Dudgeon <span dir="ltr"><<a href="mailto:tdudgeon.ml@gmail.com" target="_blank">tdudgeon.ml@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
So if I understand correctly, if the REST service is running in (for
instance) Tomcat, then I can use the standard Tomcat adapter to
protect it, but use:<br>
"bearer-only" : true<br>
as part of the configuration, as described here:<br>
<a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config</a></div></blockquote><div><br></div><div>Yes</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><br>
<br>
Also, regarding those options, its not clear to me what
public-client means. Does that mean that there is no authentication
at all? e.g. bypass keycloak completely?</div></blockquote><div><br></div><div>Public is for "public" clients. For example HTML5 applications. They can't use a secret to authenticate the client (as the secret would be publicly available in either case) so they rely on redirect-uri instead.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><span class="HOEnZb"><font color="#888888"><br>
<br>
Tim</font></span><div><div class="h5"><br>
<br>
<br>
<div>On 06/01/2016 08:23, Stian Thorgersen
wrote:<br>
</div>
<blockquote type="cite">
<p dir="ltr">The rest service doesn't check what client obtained
the token only the realm/signature and that it contains the
required roles.</p>
<div class="gmail_quote">On 5 Jan 2016 10:20, "Tim Dudgeon" <<a href="mailto:tdudgeon.ml@gmail.com" target="_blank"></a><a href="mailto:tdudgeon.ml@gmail.com" target="_blank">tdudgeon.ml@gmail.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> On 05/01/2016 07:36,
Stian Thorgersen wrote:<br>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 1 January 2016 at 11:52,
Tim Dudgeon <span dir="ltr"><<a href="mailto:tdudgeon.ml@gmail.com" target="_blank"></a><a href="mailto:tdudgeon.ml@gmail.com" target="_blank">tdudgeon.ml@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> The user
docs (<a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/Overview.html#d4e54" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/Overview.html#d4e54</a>)
describe exactly what I'm looking for: <br>
<blockquote type="cite"> <span>Signed access
tokens can also be propagated by REST client
requests within an<span> </span></span><code style="font-size:0.9em;font-family:courrier,monospace;white-space:nowrap;color:rgb(51,51,51);font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:18px;text-align:justify;text-indent:0px;text-transform:none;word-spacing:0px">Authorization</code><span><span> </span>header.
This is great for distributed integration as
applications can request a login from a
client to obtain an access token, then
invoke any aggregated REST invocations to
other services using that access token.</span></blockquote>
I have a web app (in Tomcat) that uses the
Keycloak adapter for user authentication.<br>
This web app needs to access a REST service,
running in a different Tomcat container and I
want the REST service to use the same user
authentication, but I'm not totally sure about
how to go about this.<br>
Do I just grab the keycloak token in the header
in the web app and add that as a header when
calling the REST service, and set the REST
service up to use the same Keycloak adapter
configuration as the web app?<br>
</div>
</blockquote>
<div><br>
</div>
<div>You could or you can get the token from the
adapter. Take a look at:</div>
<div><br>
</div>
<div><a href="https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48" target="_blank">https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48</a><br>
</div>
</div>
</div>
</div>
</blockquote>
Thanks. That's useful.<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <br>
What if I want to have other ways to
authenticate the REST service (e.g. access from
multiple clients)?</div>
</blockquote>
<div><br>
</div>
<div>Not sure what you mean about this</div>
</div>
</div>
</div>
</blockquote>
<br>
For example, lets assume we have 2 apps, authenticating
against the same Keycloak realm, but as separate clients.<br>
Both hit the same REST service and pass through their token
to that service.<br>
How is the REST service to authenticate the requests?<br>
All it really needs to to is check that the tokens are valid
and come from the expected (keycloak) source, even though
the tokens were generated for different clients.<br>
Is there an adapter that handles this?<br>
<br>
Tim<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span><font color="#888888"><br>
<br>
Tim<br>
<br>
<br>
<br>
<br>
</font></span></div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div></div>