On Fri, Apr 29, 2016 at 2:23 PM, Sebastien Blanc <sblanc@redhat.com> wrote:

Hi Luke !

I might be wrong but I think I have the exact demo working of what you describe :

1. the standalone webapp client : https://github.com/sebastienblanc/devoxxfr/tree/master/angular-client , you can run it with "grunt serve"
2. the nodejs service : https://github.com/sebastienblanc/devoxxfr/tree/master/nodejs-service , run it with "npm start"
3. external keycloak server running

I did not need to define any confidential client, the trick is to use "bearer-only" for the nodejs service, take a look at my sample realm : https://github.com/sebastienblanc/devoxxfr/blob/master/devoxxrealm.json

i also see another realm file inside the nodejs-service directory, is that for something else. looks like it would be if you were "logging in" to the node server

And sorry if I was completly aside what you meant.

Sebi

On Fri, Apr 29, 2016 at 7:09 PM, Luke Holmquist <lholmqui@redhat.com> wrote:
I have a use case, that i think could be pretty common, but i'm not entirely sure how to setup it up.

The following is a little bit of a thought dump, so pardon me if i ramble a little bit.

There are i think 3 components involved here:

1. a pure HTML/JS web app

2. A node.js REST API server

3. Keycloak server

The app in this case, would not be served by the node server or the KC server(wildfly), but with something like nginx(or even something like 'python simpleHTTPServer')

Basically the flow would be something like this[1]:

The web app, using the js adapter, authenticates against the KC server.

Now the web app would like to call the node API server(a restricted endpoint) to get some data

The web app probably adds the token stuff that it got from KC during it;s login to the request to the node server

***This next part is where i'm getting a little confused, i'm aware that code to do this might not be written yet****

I'm thinking the node server takes the token from the web app request, and would hit an endpoint on the KC server to make sure that token is valid.

If things go ok, then node server returns the data.

I've seen the recent post on doing token introspection and abstracj was nice enough to make that into a gist, https://gist.github.com/abstractj/4cd2231a472069d8b6f63b4008c74061

but this would also mean the web client access_type would need to be confidential(which i don't think is secure for a web app) to make a service account that the node server could use to do the token introspection.

I was thinking of maybe creating a client also for the node server, but is it possible for 1 client to lookup/validate tokens from another client.

Perhaps i'm thinking about this all wrong too, which is very possible.

In this example there is only 1 node api server, but there could be multiple node/go/rust/<insert cool kid tech here> servers too

Any guidance would be appreciated and sorry for the ramble

-Luke

[1]https://docs.google.com/drawings/d/1BngijxAV2j0rjz18P0XcXeY9CClCg1mwQhROYQ2iWtU/edit

_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev