Re: [keycloak-user] Get the user of the current request from the KeycloakSession?
On 12/16/2015 9:37 AM, Erik Mulder wrote:
Seems like a simple scenario, but I can't figure it out: I have
an
instance of the KeycloakSession and I want to get the UserModel for the
current request. Is this possible?
Context: I'm creating a custom REST service that runs inside keycloak
and needs to get some data that is related to the current authenticated
user. For instance the realm and client I can get through the
session.getContext().getClient/Realm(). I would expect a getUser() there
too, but I can't find it anywhere 'in' the session.
If this isn't possible, shouldn't it be? Or if not, why not?
I'm assuming this REST request is from a browser Javascript client?
Login sessions are maintained only through a cookie. You'd have to
login through the browser first, then read the cookie.
BTW, cookies are a really bad way of securing a REST interface. Your
REST interface becomes vulnerable to CSRF attacks. I suggest you use a
token to secure your REST interface. If you are already using
keycloak.js to login in, you can obtain the token from the Keycloak
javascript interface and use that to invoke your service.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com