If you want the database service to redirect users to the login page, it must be changed to confidential. If the front end itself is a client of Keycloak, then leaving the service as bearer only is fine.
The example is obviously a bit contrived but the idea was that no user, even an admin, would authenticate directly to the database service. If there were to be an admin interface for the database, it would be another client in the same realm. Ultimately it’s a design decision you have to make when you consider what works well for your organization.
On Jan 5, 2016, at 10:30 AM, Amaeztu <amaeztu@tesicnor.com> wrote:
Well, this example answers the asked question, so many thanks Scott. However, I still have some doubts.
In the given code, the database service can only be accessed from another client (bearer only). However, let's suppose I also want to have access to its endpoints from a Web browser, for pure administrative purpose and only with the ADMIN role. I should change the access to confidential. Then I want to access the service from the customer app, but, since the current user role might not be ADMIN, I wouldn't be authorized for the remote access.
The only solution I can think for this is to keep the database service access bearer only and implement a specific database-ui service, which should replicate all the original endpoints (this involves adding a new endpoint to the ui service everytime I do it in the db service).
Is there a way for solving this which avoids having an specific ui service implemented? Sorry about all questions I'm still a starter!
Nire Sony Xperia™ telefonotik bidalita
---- Scott Rossillo igorleak idatzi du ----
Take a look at these Spring samples. It's set up automatically:
https://github.com/foo4u/keycloak-spring-demo/blob/master/customer-app/src/main/java/org/keycloak/example/spring/customer/service/RemoteCustomerService.java
<logo.png><logo.png><logo.png>On Tue, Dec 29, 2015 at 12:31 PM Aritz Maeztu <amaeztu@tesicnor.com> wrote:
At this moment there's a KeycloakRestTemplate to use it in Spring which allows an end user to retrieve data from other keycloak clients. However, a client might also be interested in accessing data with its own permissions and with no user interaction. Is there any implementation of a RestTemplate to utilize client service accounts and, if not, are there any plans to write it? This demo seems to do it manually._______________________________________________
Regards
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user