Re: [keycloak-user] Get the user of the current request from the KeycloakSession?

Thanks Fabricio, that sounds like the sort of thing I'm looking for, but I have nothing else in scope than the KeycloakSession object. @Bill: My question is independent from the changes of Pedro. So let's try it once more: how can I get the User(Model) of the authenticated user of the current request, if I just have a reference to the KeycloakSession? It seems to me that this should be possible, but there seems to be no way to do it. Maybe there should be a getUser() added on the KeycloakContext? On 16/12/15 22:40, Fabricio Milone wrote: Hi Erik, I did something similar but in my case I have the username as a form attribute in the request, so if it possible in your scenario to get the username as a string, this is one possible solution: UserModel user = session.users().getUserByUsername(*username*, session.realms().getRealmByName(realm.getName())); Not 100% sure if that's what you need, I hope it is :) Regards, Fab On 17 December 2015 at 02:34, Erik Mulder <erik.mulder(a)docdatapayments.com > wrote: > Thanks, but I'm not sure I understand you correctly. Let me clearify: > - I'm extending the Keycloak REST webservices with some custom > resources, for instance: > http://127.0.0.1:8080/auth/realms/<realmId>/docdata/<myResource> (a > piece of code from Pedro made this possible) > - I'm implementing an SPI (also from Pedro's change) that gets a > KeycloakSession object to 'work with'. > - I do authenticate on the keycloak server using a token (OpenID > Connect) that I got from a previous succesful login. > - Somewhere in the Keycloak internals this token is validated and a > User(Model/Session) is found that corresponds to this token. > - <assumption>: This User is saved somewhere in the session context > > Now, my question is: How can I get hold of this User(Model/Session), > given that I have just a KeycloakSession object? > > Through debugging I see that session.sessions() has a UserSessionEntity > for my current request, but since there might be more at the same time, > how can I relate my current request to the one User that is associated > with it? > > > > On 16/12/15 15:52, Bill Burke wrote: > > On 12/16/2015 9:37 AM, Erik Mulder wrote: > >> Seems like a simple scenario, but I can't figure it out: I have an > >> instance of the KeycloakSession and I want to get the UserModel for the > >> current request. Is this possible? > >> > >> Context: I'm creating a custom REST service that runs inside keycloak > >> and needs to get some data that is related to the current authenticated > >> user. For instance the realm and client I can get through the > >> session.getContext().getClient/Realm(). I would expect a getUser() > there > >> too, but I can't find it anywhere 'in' the session. > >> > >> If this isn't possible, shouldn't it be? Or if not, why not? > >> > > I'm assuming this REST request is from a browser Javascript client? > > Login sessions are maintained only through a cookie. You'd have to > > login through the browser first, then read the cookie. > > > > BTW, cookies are a really bad way of securing a REST interface. Your > > REST interface becomes vulnerable to CSRF attacks. I suggest you use a > > token to secure your REST interface. If you are already using > > keycloak.js to login in, you can obtain the token from the Keycloak > > javascript interface and use that to invoke your service. > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user