ID Token claims in Access Token and Refresh Token
by Stian Thorgersen
As AccessToken and RefreshToken extends IDToken they contain the ID Token claims. If I've read the spec correctly those claims should only be in the ID Token. There should also be a separate UserInfo endpoint which we're missing.
Is there a reason why AccessToken extends IDToken, or can we remove that?
9 years, 4 months
Login with Access Token
by Christian Beikov
Hello!
I am new to OAuth so sorry if my question is dumb.
I have an App which wants to provide a custom and Facebook login. Since
many people already have the Facebook App installed, I thought it might
be better to give them the native experience and use the Facebook SDK to
implement the login.
The problem now is, that I have the Access Token from the successful
Facebook login, but don't know how to properly login at the Keycloak
server with that.
Any ideas on how to do that? Or is that even stupid and is there a
better way?
--
Mit freundlichen Grüßen,
------------------------------------------------------------------------
*Christian Beikov*
9 years, 4 months
Fwd: Preflight for token refresh
by Alain Penders
Hi all,
I'm building a new app using GWT 2.7 using the Keycloak javascript adapter
and GWT jsInterop. This works extremely well.
The problem I ran into is if I walk away for 5 minutes and then try to do
something, the token refresh fails on preflight. As shown in the
documentation, I call keycloak.updateToken(30) to refresh the base token in
case it has expired. Since in this case it has indeed expired, keycloak
makes a call to /auth/realms/<myrealm>/tokens/refresh. The OPTIONS call
to this location doesn't contain the Accept headers, and my app ends up
dead in the water.
To fix this, I added the following code to OpenIDConnectService:
/**
* CORS preflight path for refresh token requests
*
* @return
*/
@Path("refresh")
@OPTIONS
@Produces(MediaType.APPLICATION_JSON)
public Response refreshAccessTokenPreflight() {
if (logger.isDebugEnabled()) {
logger.debugv("cors request from: {0}",
request.getHttpHeaders().getRequestHeaders().getFirst("Origin"));
}
return Cors.add(request, Response.ok()).auth().preflight().build();
}
If this wasn't the correct solution for my problem, I'd enjoy hearing where
I went wrong.
Thanks,
Alain
9 years, 4 months
Status Report - Week 48 2014
by Marek Posolda
Accomplishments and key updates:
- Keycloak and hawtio integration working and shared with hawtio team
https://github.com/hawtio/hawtio/issues/1779
- SSH and JMX authentication to Fuse with keycloak credentials
Next steps:
- Prepare for local JBug about Keycloak on WEdnesday
- Research for f2f
- Continue with keycloak & JBoss Fuse. Next step will be likely Jetty
adapter for securing CXF and Camel applications.
Marek
9 years, 4 months
Osgi bundling for Karaf/Fuse
by Marek Posolda
I've added Osgi bundle for Karaf/Fuse into Keycloak distribution. For
now there is bundle with core adapter libraries and bundle with JAAS
used for authentication to admin services like hawtio, SSH and JMX over
RMI. Previously I had the bundling in my hawtio fork, but I think that
it would be better to have it in keycloak codebase itself because of
better reusability by other osgi services and components of fuse.
Next step would be to add bundle for Jetty adapter to secure Apache CXF
and Camel applications.
I've added wiki with some notes
https://github.com/keycloak/keycloak/wiki/Fuse-integration with what is
done and what is still on todo list for Fuse integration. Feel free to
add more things if I missed something. I think that admin services
(hawtio, SSH, JMX) should be quite done now.
Marek
9 years, 4 months
