Re: [keycloak-user] [keycloak-dev] html app, node api server and keycloak
by Luke Holmquist
On Fri, Apr 29, 2016 at 2:01 PM, gambol <gambol99(a)gmail.com> wrote:
> If I'm not mistaken the access type would be 'public' since you can't
> secure the client secret (
> http://stackoverflow.com/questions/14574846/client-authentication-on-publ...)
> ...
>
Yeah, i think that was always the plan for the html app, possibly also with
the implicit grant flow
> In regard to the API, there's technically no need to speak to keycloak to
> verify the token, given the jwt is signed by the provider. So assuming the
> library your using on the API pulls the jwt public keys from keycloak
> (openid discovery URL perhaps) or has it hardcoded, you have everything you
> need to verify the the token.
>
> Rohith
> crap, forget the subject line
>
> On Fri, Apr 29, 2016 at 1:09 PM, Luke Holmquist <lholmqui(a)redhat.com>
> wrote:
>
>> I have a use case, that i think could be pretty common, but i'm not
>> entirely sure how to setup it up.
>>
>> The following is a little bit of a thought dump, so pardon me if i ramble
>> a little bit.
>>
>>
>> There are i think 3 components involved here:
>>
>> 1. a pure HTML/JS web app
>>
>> 2. A node.js REST API server
>>
>> 3. Keycloak server
>>
>>
>> The app in this case, would not be served by the node server or the KC
>> server(wildfly), but with something like nginx(or even something like
>> 'python simpleHTTPServer')
>>
>> Basically the flow would be something like this[1]:
>>
>> The web app, using the js adapter, authenticates against the KC server.
>>
>> Now the web app would like to call the node API server(a restricted
>> endpoint) to get some data
>>
>> The web app probably adds the token stuff that it got from KC during it;s
>> login to the request to the node server
>>
>> ***This next part is where i'm getting a little confused, i'm aware that
>> code to do this might not be written yet****
>>
>> I'm thinking the node server takes the token from the web app request,
>> and would hit an endpoint on the KC server to make sure that token is
>> valid.
>>
>> If things go ok, then node server returns the data.
>>
>> I've seen the recent post on doing token introspection and abstracj was
>> nice enough to make that into a gist,
>> https://gist.github.com/abstractj/4cd2231a472069d8b6f63b4008c74061
>>
>> but this would also mean the web client access_type would need to be
>> confidential(which i don't think is secure for a web app) to make a service
>> account that the node server could use to do the token introspection.
>>
>> I was thinking of maybe creating a client also for the node server, but
>> is it possible for 1 client to lookup/validate tokens from another client.
>>
>>
>> Perhaps i'm thinking about this all wrong too, which is very possible.
>>
>> In this example there is only 1 node api server, but there could be
>> multiple node/go/rust/<insert cool kid tech here> servers too
>>
>>
>>
>> Any guidance would be appreciated and sorry for the ramble
>>
>> -Luke
>>
>>
>>
>>
>>
>>
>> [1]
>> https://docs.google.com/drawings/d/1BngijxAV2j0rjz18P0XcXeY9CClCg1mwQhROY...
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
8 years, 7 months
Re: [keycloak-user] [keycloak-dev] html app, node api server and keycloak
by Luke Holmquist
crap, forget the subject line
On Fri, Apr 29, 2016 at 1:09 PM, Luke Holmquist <lholmqui(a)redhat.com> wrote:
> I have a use case, that i think could be pretty common, but i'm not
> entirely sure how to setup it up.
>
> The following is a little bit of a thought dump, so pardon me if i ramble
> a little bit.
>
>
> There are i think 3 components involved here:
>
> 1. a pure HTML/JS web app
>
> 2. A node.js REST API server
>
> 3. Keycloak server
>
>
> The app in this case, would not be served by the node server or the KC
> server(wildfly), but with something like nginx(or even something like
> 'python simpleHTTPServer')
>
> Basically the flow would be something like this[1]:
>
> The web app, using the js adapter, authenticates against the KC server.
>
> Now the web app would like to call the node API server(a restricted
> endpoint) to get some data
>
> The web app probably adds the token stuff that it got from KC during it;s
> login to the request to the node server
>
> ***This next part is where i'm getting a little confused, i'm aware that
> code to do this might not be written yet****
>
> I'm thinking the node server takes the token from the web app request, and
> would hit an endpoint on the KC server to make sure that token is valid.
>
> If things go ok, then node server returns the data.
>
> I've seen the recent post on doing token introspection and abstracj was
> nice enough to make that into a gist,
> https://gist.github.com/abstractj/4cd2231a472069d8b6f63b4008c74061
>
> but this would also mean the web client access_type would need to be
> confidential(which i don't think is secure for a web app) to make a service
> account that the node server could use to do the token introspection.
>
> I was thinking of maybe creating a client also for the node server, but is
> it possible for 1 client to lookup/validate tokens from another client.
>
>
> Perhaps i'm thinking about this all wrong too, which is very possible.
>
> In this example there is only 1 node api server, but there could be
> multiple node/go/rust/<insert cool kid tech here> servers too
>
>
>
> Any guidance would be appreciated and sorry for the ramble
>
> -Luke
>
>
>
>
>
>
> [1]
> https://docs.google.com/drawings/d/1BngijxAV2j0rjz18P0XcXeY9CClCg1mwQhROY...
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
8 years, 7 months
Modify Email template
by JAYAPRIYA ATHEESAN
Hi team,
A mail is being sent from keycloak, when we enable verify option and
password reset option.
Someone has created a Giggzo account with this email address. If this was
you, click the link below to verify your email address
<https://%3chost_name%3e:8444/auth/realms/giggzo/login-actions/email-verific
ation?key=aKn9xARWV3hpXw_bjwfHwrGAcyGrhRx9vXAm4jICE8Y.e74ce8ec-8c36-4a3b-8fc
6-bbe5fd289ee1>
https://<host_name>:8444/auth/realms/giggzo/login-actions/email-verification
?key=aKn9xARWV3hpXw_bjwfHwrGAcyGrhRx9vXAm4jICE8Y.e74ce8ec-8c36-4a3b-8fc6-bbe
5fd289ee1
This link will expire within 5 minutes.
If you didn't create this account, just ignore this message.
Is it possible to change this message content? And increase the expiry time
from 5mins to 1hr.
Thanks,
Jayapriya Atheesan
8 years, 7 months
Problem in getting access token from facebook identity provider
by JAYAPRIYA ATHEESAN
Hi All,
I'm facing issue in getting access token from facebook identity provider.
This is the code I'm using for fetching the access token, but the method
doesn't succeed.
$http.get('/auth/realms/facebook-identity-provider-realm/broker/facebook/tok
en').success(function(data) {
var accessTokenParameter = 'access_token=';
var accessToken =
data.substring(data.indexOf(accessTokenParameter) +
accessTokenParameter.length, data.indexOf('&'));
$http.get('https://graph.facebook.com/me?access_token=' +
accessToken)
.success(function(profile) {
$scope.socialProfile = profile;
})
.error(function(data, status, headers, config) {
$scope.socialProfile = 'Could not obtain social profile.
Trying to refresh your token.';
Auth.refreshToken();
});
});
Below is the exception I'm facing.
XMLHttpRequest cannot load
https://<host_name>:8444/auth/realms/giggzo/broker/facebook/token. No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://ds412.projectstatus.co.uk' is therefore not allowed access.
The response had HTTP status code 400.
PLEASE HELP ME IN RESOLVING THE ISSUE.
Thanks,
Jayapriya Atheesan
8 years, 7 months
Connect keycloak with atlassian product
by Vanhoucke, Emmanuel
Hello !
Does anyone ever connected keycloak with Bitbucket Server (atlassian
product) ?
Thank's in advance
*Emmanuel VANHOUCKE*Ingénieur Outils
emmanuel.vanhoucke(a)a-sis.com
a-SIS
50 rue des Peigneurs - 59200 Tourcoing
http://www.a-sis.fr
8 years, 7 months
Modify standalone.xml and standalone.conf while building.
by Revanth Ayalasomayajula
Hi,
I am using Keycloak 1.5.0 and and I want to make a few changes to my
standalone.xml and standlone.conf(change the default jvm memory allocation
values). i wanted to know if there is a way that I can modify both theses
files when I am building my project.
Thanks.
8 years, 7 months
Redirect issue when nginx is being used as the reverse Proxy
by Mai Zi
Hi,
I am using nginx as the reverse proxy in front of a keycloak and a web application .
Here is a snippet from nginx
location /foo/bar/ { proxy_pass http://127.0.0.1/hello/world/ } I select the client type in keycloak to "confidential" so there will be a redict URL will return back to browser,
will may look like 127.0.0.1/hello/world . Obviously It failed .
Is there solution ?
Thanks in advance.
Mai
8 years, 7 months
