If you want the database service to redirect users to the login page, it must be changed to confidential. If the front end itself is a client of Keycloak, then leaving the service as bearer only is fine.

The example is obviously a bit contrived but the idea was that no user, even an admin, would authenticate directly to the database service. If there were to be an admin interface for the database, it would be another client in the same realm. Ultimately it’s a design decision you have to make when you consider what works well for your organization.

Scott Rossillo
Smartling | Senior Software Engineer
srossillo@smartling.com


Powered by Sigstr

On Jan 5, 2016, at 10:30 AM, Amaeztu <amaeztu@tesicnor.com> wrote:

Well, this example answers the asked question, so many thanks Scott. However, I still have some doubts.

In the given code, the database service can only be accessed from another client (bearer only). However, let's suppose I also want to have access to its endpoints from a Web browser, for pure administrative purpose and only with the ADMIN role. I should change the access to confidential. Then I want to access the service from the customer app, but, since the current user role might not be ADMIN, I wouldn't be authorized for the remote access.

The only solution I can think for this is to keep the database service access bearer only and implement a specific database-ui service, which should replicate all the original endpoints (this involves adding a new endpoint to the ui service everytime I do it in the db service).

Is there a way for solving this which avoids having an specific ui service implemented? Sorry about all questions I'm still a starter!

Nire Sony Xperia™ telefonotik bidalita



---- Scott Rossillo igorleak idatzi du ----

Take a look at these Spring samples. It's set up automatically:

https://github.com/foo4u/keycloak-spring-demo/blob/master/customer-app/src/main/java/org/keycloak/example/spring/customer/service/RemoteCustomerService.java
On Tue, Dec 29, 2015 at 12:31 PM Aritz Maeztu <amaeztu@tesicnor.com> wrote:
At this moment there's a KeycloakRestTemplate to use it in Spring which allows an end user to retrieve data from other keycloak clients. However, a client might also be interested in accessing data with its own permissions and with no user interaction. Is there any implementation of a RestTemplate to utilize client service accounts and, if not, are there any plans to write it? This demo seems to do it manually.

Regards
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf.: 948 21 40 40
Fax.: 948 21 40 41

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos.
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
<logo.png><logo.png><logo.png>