<div dir="ltr">crap, forget the subject line<br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 29, 2016 at 1:09 PM, Luke Holmquist <span dir="ltr"><<a href="mailto:lholmqui@redhat.com" target="_blank">lholmqui@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I have a use case, that i think could be pretty common, but i'm not entirely sure how to setup it up.<div><br></div><div>The following is a little bit of a thought dump, so pardon me if i ramble a little bit.</div><div><br></div><div><br></div><div>There are i think 3 components involved here:</div><div><br></div><div>1. a pure HTML/JS web app</div><div><br></div><div>2. A node.js REST API server</div><div><br></div><div>3. Keycloak server</div><div><br></div><div><br></div><div>The app in this case, would not be served by the node server or the KC server(wildfly), but with something like nginx(or even something like 'python simpleHTTPServer')</div><div><br></div><div>Basically the flow would be something like this[1]:</div><div><br></div><div>The web app, using the js adapter, authenticates against the KC server. </div><div><br></div><div> Now the web app would like to call the node API server(a restricted endpoint) to get some data</div><div><br></div><div>The web app probably adds the token stuff that it got from KC during it;s login to the request to the node server</div><div><br></div><div>***This next part is where i'm getting a little confused, i'm aware that code to do this might not be written yet****</div><div><br></div><div>I'm thinking the node server takes the token from the web app request, and would hit an endpoint on the KC server to make sure that token is valid. </div><div><br></div><div>If things go ok, then node server returns the data.</div><div><br></div><div>I've seen the recent post on doing token introspection and abstracj was nice enough to make that into a gist, <a href="https://gist.github.com/abstractj/4cd2231a472069d8b6f63b4008c74061" target="_blank">https://gist.github.com/abstractj/4cd2231a472069d8b6f63b4008c74061</a></div><div><br></div><div>but this would also mean the web client access_type would need to be confidential(which i don't think is secure for a web app) to make a service account that the node server could use to do the token introspection.</div><div><br></div><div>I was thinking of maybe creating a client also for the node server, but is it possible for 1 client to lookup/validate tokens from another client. </div><div><br></div><div><br></div><div>Perhaps i'm thinking about this all wrong too, which is very possible. </div><div><br></div><div>In this example there is only 1 node api server, but there could be multiple node/go/rust/<insert cool kid tech here> servers too</div><div><br></div><div><br></div><div><br></div><div>Any guidance would be appreciated and sorry for the ramble</div><div><br></div><div>-Luke</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div>[1]<a href="https://docs.google.com/drawings/d/1BngijxAV2j0rjz18P0XcXeY9CClCg1mwQhROYQ2iWtU/edit" target="_blank">https://docs.google.com/drawings/d/1BngijxAV2j0rjz18P0XcXeY9CClCg1mwQhROYQ2iWtU/edit</a><br></div></div>
<br>_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br></blockquote></div><br></div></div>