Looks good to me, but I'd like it to be an optional feature that is enabled in
keycloak.json (should be disabled by default).
Another thing is that we should add an example + documentation for this feature.
----- Original Message -----
From: "Gary Brown" <gbrown(a)redhat.com>
To: "Marek Posolda" <mposolda(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Thursday, 27 November, 2014 10:58:21 AM
Subject: Re: [keycloak-user] REST services supporting basic auth and bearer tokens
Hi Marek
----- Original Message -----
> Hi,
>
> I am not 100% sure if having basic auth with direct grant directly in
> our adapters is way to go. Probably yes as for your use-case it makes
> sense, so I am slightly for push your change as PR. But maybe others
> from team have different opinion.
>
> Earlier this week I've added DirectAccessGrantsLoginModule to KC
> codebase, which is quite similar and is intended to be used for non-web
> applications (like SSH), which rely on JAAS. But I guess that using this
> one is not good option for you as you want support for Basic and Bearer
> authentication in same web application, right?
Thats correct.
>
> Few more minor points to your changes:
> - Is it possible to use net.iharder.Base64 instead of
> org.apache.commons.codec.binary.Base64? Whole KC code has dependency on
> net.iharder, so would be likely better to use this one to avoid possible
> dependency issues in adapters.
That shouldn't be a problem.
>
> - Wonder if it's possible to simplify a bit, like have single
> "completeAuthentication" method for both bearer and basic authenticator
> (afaik only difference among them is different authMethod right?). But
> this is really minor.
Will do.
I'll wait until mid next week before doing any more on this, to see whether
others have an opinion.
If the PR was accepted, any chance it could go into 1.1 even though in beta?
If no, any idea what the timescale is for 1.2.beta1?
Thanks for your feedback.
Regards
Gary
>
> Marek
>
> On 26.11.2014 14:54, Gary Brown wrote:
> > Hi
> >
> > Concrete use case - we have implemented the OASIS S-RAMP specification,
> > in
> > which it requires basic auth support
> >
(
http://docs.oasis-open.org/s-ramp/s-ramp/v1.0/s-ramp-v1.0-part2-atom-bind...
> > section 5 "The S-RAMP Specification does not attempt to define a security
> > model for products that implement it. For the Atom Binding, the only
> > security requirement is that at a minimum, client and server
> > implementations MUST be capable of being configured to use HTTP Basic
> > Authentication in conjunction with a connection made with TLS.").
> >
> > However we also need the same service to support bearer token, for use
> > within our KeyCloak SSO session.
> >
> > I've implemented a possible solution, details defined on
> >
https://issues.jboss.org/browse/KEYCLOAK-861.
> >
> > If this solution is on the right path, I would appreciate any feedback on
> > any changes that might be required before submitting a PR. Currently
> > there
> > are no tests, but would aim to provide some with the PR.
> >
> > Regards
> > Gary
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user