Hi everybody, we are developing an application that consists of several REST web-applications written with different application frameworks (Java EE 6/ JBoss AS and Vert.x). So far we are using org.jboss.resteasy.skeleton.key.as7.OAuthAuthenticationServerValve from the skelton-key-as7 template (which as far as I can see, keycloak is based on?) as an OAuth provider and just add bearer tokens to the authentication headers of the HTTP requests between the modules. One of the really nice features for us is that the role mapping of users is included in the tokens (which is also described in the keycloak docs with a reference to JSON Web Tokens). Now the modules that are deployed to JBoss AS transparently verify the bearer tokens and RESTEasy even takes care of adding the username and the user roles to the HttpServletRequest which also allows us to use @RolesAllowed (very convenient!). What I'm wondering now is whether there is an easy way of adding validation and decoding of bearer tokens to Vert.x modules. Ideally, I would like to be able to add a jar dependency that provides me with a few methods to validate the token (make sure it is a real token, hasn't been modified and didn't expire...) and extract the user and roles from it. Since a private key is needed, I guess I would add a json config file or even just pass the required values to the API directly.

Have a look at: https://github.com/keycloak/keycloak/blob/master/testsuite/integration/sr... ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: keycloak-user(a)lists.jboss.org > Sent: Wednesday, 29 January, 2014 4:05:58 PM > Subject: Re: [keycloak-user] Verifying Bearer Tokens in Vert.x > > > > On 1/29/2014 10:58 AM, Nils Preusker wrote: > > Hi everybody, > > > > we are developing an application that consists of several REST > > web-applications written with different application frameworks (Java EE > > 6/ JBoss AS and Vert.x). So far we are > > using org.jboss.resteasy.skeleton.key.as7.OAuthAuthenticationServerValve > > from the skelton-key-as7 template (which as far as I can see, keycloak > > is based on?) as an OAuth provider and just add bearer tokens to the > > authentication headers of the HTTP requests between the modules. > > > > One of the really nice features for us is that the role mapping of users > > is included in the tokens (which is also described in the keycloak docs > > with a reference to JSON Web Tokens). > > > > Now the modules that are deployed to JBoss AS transparently verify the > > bearer tokens and RESTEasy even takes care of adding the username and > > the user roles to the HttpServletRequest which also allows us to use > > @RolesAllowed (very convenient!). > > > > What I'm wondering now is whether there is an easy way of adding > > validation and decoding of bearer tokens to Vert.x modules. Ideally, I > > would like to be able to add a jar dependency that provides me with a > > few methods to validate the token (make sure it is a real token, hasn't > > been modified and didn't expire...) and extract the user and roles from > > it. Since a private key is needed, I guess I would add a json config > > file or even just pass the required values to the API directly. > > > > Don't know anything about vert.x, but if you use the keycloak-core > module, it has all the code needed to unmarshal and verify the token. > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user