10:17 a.m.
Actually, that's where I started before I originally asked this list.
From following the configuration examples there, and checking my realm
configuration against that in the example, I was only able to setup ONE
OR THE OTHER of the following cases (never both):
- basic authentication worked on the REST server, when using curl as a
client
- the UI worked, using a bearer token (the javascript adapter was doing
the actual sign-in)
After taking Bill's advice to look at implementing another LoginModule,
I came up with this:
http://bit.ly/1CH4kdU
This actually satisfies both cases by doing the BASIC -> Bearer
translation on the server side, then passing it on to Keycloak's
authentication mechanisms...but I'm not sure it's the most elegant solution.
On 07/15/2015 02:17 AM, Stian Thorgersen wrote:
Have a look at basic-auth example, it's included in the examples
dl.
----- Original Message -----
> From: "John Casey" <jdcasey(a)commonjava.org>
> To: "Bill Burke" <bburke(a)redhat.com>, keycloak-user(a)lists.jboss.org
> Sent: Tuesday, 14 July, 2015 9:23:46 PM
> Subject: Re: [keycloak-user] help with bearer + basic auth
>
> Well, when I use "enable-basic-auth" this works fine:
>
> $ curl -u test -i http://localhost:8081/api/admin/remote
> Enter host password for user 'test':
> HTTP/1.1 200 OK
> ...
>
> However, that configuration causes the UI use a 'code' query param and
> encounter 400 responses. In the keycloak server output I see:
>
> 19:19:07,524 WARN [org.keycloak.events] (default task-7)
> type=REFRESH_TOKEN_ERROR, realmId=master,
> clientId=security-admin-console, userId=null, ipAddress=127.0.0.1,
> error=invalid_token
>
> I'm looking through the code keycloak uses to supply an authentication
> mechanism to undertow now, to hopefully come with a way to handle basic
> auth...maybe through a wrapper auth mech around keycloak?
>
> Do you have any samples / hints I might be able to follow? I'll admit,
> this is the first time I've had to look this closely at servlet/web auth
> mechanisms.
>
>
> On 07/14/2015 11:16 AM, Bill Burke wrote:
>> IIRC, the basic auth switch is so that you can send the token via basic
>> auth rather than as bearer auth. This is really only useful when you
>> can't use a keycloak adapter, but can implement a LoginModule or
>> something. It has nothing to do with basic auth.
>>
>> On 7/14/2015 12:04 PM, John Casey wrote:
>>> On 07/14/2015 10:49 AM, Juraci Paixão Kröhling wrote:
>>>> On 07/14/2015 05:32 PM, John Casey wrote:
>>>>> ...but it doesn't seem to have a javascript UI or anything using
bearer
>>>>> tokens to verify that it works that way.
>>>>
>>>> Not sure I understood your question, but removing the
"bearer-only" and
>>>> adding "enable-basic-auth" should be enough to have your server
adapter
>>>> to accept both bearer tokens and basic auth.
>>>>
>>>
>>> This is exactly what I'm trying to do. I've tried removing
"bearer-only"
>>> and replaced it with "enable-basic-auth"...which has two effects:
>>>
>>> - basic auth via curl works (it didn't before the change)
>>>
>>> - the UI (using javascript adapter + bearer token) gets 400 Bad Request
>>>
>>>
>>> Are you using the javascript adapter to login for your UI, passing the
>>> bearer token to the server? I guess what I'm asking is if your
>>> application actually uses both methods (basic auth and bearer token)?
>>>
>>> I'm not sure how to filter my realm json to pare out the unnecessary
>>> stuff, but here's a gist containing the full file (it's on a test
docker
>>> container, so no worries about security):
>>>
>>> https://gist.github.com/jdcasey/3f934fcd4967b99ebb05
>>>
>>
>
> --
> John Casey
> ---
> GitHub: https://github.com/jdcasey/
> Twitter: http://twitter.com/buildchimp
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
John Casey
---
GitHub: https://github.com/jdcasey/
Twitter: http://twitter.com/buildchimp