<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" id="owaParaStyle"></style>
</head>
<body bgcolor="#FFFFFF" fpstyle="1" ocsi="0">
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">Ok. I was thinking about this procedure.
<div><br>
</div>
<div>The adapter verifies the access token. Does it have to contact the verification Rest endpoint ?</div>
<div><br>
</div>
<div>Once the token is verified I need the claims for business processing. Does it mean that I have to use the introspection endpont myself ? I don't know how to hit this endpoint because it seems to need the client secret.</div>
<div><br>
</div>
<div>So I am trying to verify and also access the claims.</div>
<div><br>
</div>
<div>Mohan<br>
<div style="font-family: Times New Roman; color: #000000; font-size: 16px">
<hr tabindex="-1">
<div id="divRpF800749" style="direction: ltr;"><font face="Tahoma" size="2" color="#000000"><b>From:</b> keycloak-user-bounces@lists.jboss.org [keycloak-user-bounces@lists.jboss.org] on behalf of Bill Burke [bburke@redhat.com]<br>
<b>Sent:</b> Tuesday, July 26, 2016 8:19 PM<br>
<b>To:</b> keycloak-user@lists.jboss.org<br>
<b>Subject:</b> Re: [keycloak-user] Validate Implicit token<br>
</font><br>
</div>
<div></div>
<div>
<p>I would use keycloak.js adapter with auth-code flow. I personally don't like implicit flow for a number of reasons:</p>
<p>* access tokens get stored in browser history</p>
<p>* You have to perform the whole redirect dance when the access token expires</p>
<p>As far as Tomcat goes, we have an adapter for various tomcat versions. These tomcat instances would probably use bearer tokens to be secured. So, the javascript app uses keycloak.js to obtain the token. REST invocations to TOMCAT are secured by a bearer
token. Tomcat app has a keycloak adapter installed to be able to verify access tokens.<br>
</p>
<br>
<div class="moz-cite-prefix">On 7/26/16 9:03 AM, <a class="moz-txt-link-abbreviated" href="redir.aspx?REF=MHn5QiLIf34TEhUm71FhBttccA08swiSjOD070ZB1HBisxev2LXTCAFtYWlsdG86TW9oYW4uUmFkaGFrcmlzaG5hbkBjb2duaXphbnQuY29t" target="_blank">
Mohan.Radhakrishnan@cognizant.com</a> wrote:<br>
</div>
<blockquote type="cite"><style>
<!--
@font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif}
a:link, span.MsoHyperlink
{color:#0563C1;
text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
{color:#954F72;
text-decoration:underline}
span.EmailStyle17
{font-family:"Calibri",sans-serif;
color:windowtext}
.MsoChpDefault
{font-family:"Calibri",sans-serif}
@page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
-->
</style>
<div class="WordSection1">
<p class="MsoNormal">Hi,</p>
<p class="MsoNormal"> I have the standalone keycloak server issuing tokens. Client is going to be JavaScript. I enabled ‘implicit’ and issued
</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><a class="moz-txt-link-freetext" href="redir.aspx?REF=RpMbXbiODMWF_NyemxaXOfH0GSo35bSPEryQzZMvuavFFBqv2LXTCAFodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvTXlSZWFsbS9wcm90b2NvbC9vcGVuaWQtY29ubmVjdC9hdXRoP3Jlc3BvbnNlX3R5cGU9aWRfdG9rZW4lMjB0b2tlbiZyZWRpcmVjdF91cmk9aHR0cCUzQSUyRiUyRmxvY2FsaG9zdDo4MDAwJTJGJnJlYWxtPQ.." target="_blank">http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/auth?response_type=id_token%20token&redirect_uri=http%3A%2F%2Flocalhost:8000%2F&realm=</a>
MyRealm &client_id= MyRealm &scope=user</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I get the id_token. I am used to getting the ‘access token’ in other IDP’s. Are they the same in Keycloak ?</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">How do I verify the token inside my Tomcat ?</p>
<p class="MsoNormal">In other installations we run the IDP separately. So I am doing the same with Keycloak.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Thanks,</p>
<p class="MsoNormal">Mohan</p>
</div>
This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original
message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law,
this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.
<br>
<fieldset class="mimeAttachmentHeader" target="_blank"></fieldset> <br>
<pre>_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="redir.aspx?REF=bYlyhcT49YjZmY_UN16JJ2nq2a5oH7tjxyQ2cJ2EtJjFFBqv2LXTCAFtYWlsdG86a2V5Y2xvYWstdXNlckBsaXN0cy5qYm9zcy5vcmc." target="_blank">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="redir.aspx?REF=RMsWpZpfs0Pruw-857GHYI3TOSLDtGqNcID6IxbrDMXFFBqv2LXTCAFodHRwczovL2xpc3RzLmpib3NzLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2tleWNsb2FrLXVzZXI." target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</div>
</div>
</div>
This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original
message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law,
this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.
</body>
</html>