first of all, congrats on the first alpha release of Keycloak!
We're looking for a simple and lean way to add the OAuth 2.0 Resource Owner
a Java/REST backend (JBoss AS 7, planning to switch to WildFly, JAX-RS
Since I didn't find any references in the code or the docs, I'm wondering:
does Keycloak provide an implementation of the Resource Owner Password
Credentials Grant as described in the OAuth Spec (
http://tools.ietf.org/html/rfc6749#section-4.3)? In other words, is there a
way to simply send a username and password to the auth server in exchange
for an access token (and optionally a refresh token - from previous posts I
gather this will be added soon...)?
we are developing an application that consists of several REST
web-applications written with different application frameworks (Java EE 6/
JBoss AS and Vert.x). So far we are
from the skelton-key-as7 template (which as far as I can see, keycloak is
based on?) as an OAuth provider and just add bearer tokens to the
authentication headers of the HTTP requests between the modules.
One of the really nice features for us is that the role mapping of users is
included in the tokens (which is also described in the keycloak docs with a
reference to JSON Web Tokens).
Now the modules that are deployed to JBoss AS transparently verify the
bearer tokens and RESTEasy even takes care of adding the username and the
user roles to the HttpServletRequest which also allows us to use
@RolesAllowed (very convenient!).
What I'm wondering now is whether there is an easy way of adding validation
and decoding of bearer tokens to Vert.x modules. Ideally, I would like to
be able to add a jar dependency that provides me with a few methods to
validate the token (make sure it is a real token, hasn't been modified and
didn't expire...) and extract the user and roles from it. Since a private
key is needed, I guess I would add a json config file or even just pass the
required values to the API directly.
Does that make sense?
First of all, Keycloak looks great - the alpha release is a very nice start!
I have a question about bearer token expiration. Take the included
product portal example. It is configured to use Keycloak for SSO, which
allows the user to access the product listing page. That listing page
uses the current SkeletonKeySession's token as the Bearer token when
invoking the database/products REST endpoint. This makes sense to me,
but one interesting thing happens - that token eventually times out.
Once that happens all calls to the REST endpoint fail.
Note that this occurs even if the user refreshes that product listing
page. The timeout is from login, not from the last activity (like an
http session timeout would be).
So in this scenario, how is the product page supposed to get a new token
when the old one expires?
This becomes even more relevant if the UI is not a JSP but is instead a
need to pass the token to the client layer, which would then allow me to
to a REST API. That would be a great separation, but obviously the user
should not get logged out after N minutes despite actively using the app
during that time.
I'm probably missing something obvious... :)