Re: [keycloak-user] OAuth and achieving authorisation across apps - repost
On 18/03/16 08:07, Simon Gordon wrote:
[Repost]
Hey all
I feel compelled to ask another basic question of you, thanks in advance!
Looking at the demos, in a basic OAuth2 scenario, the protected resource
server (let's use the database-server within the demo-templates) is
configured in keycloak.json as: {
"realm" : "demo",
"resource" : "database-service",
"realm-public-key" :
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
"auth-server-url": "/auth",
"bearer-only" : true,
"ssl-required" : "external"
}
In the web.xml, the database-service is permitting only requests ('/*') to
those clients that have been granted the 'user' role.
In the design, this service is receiving bearer tokens only - so can I
assume that the bearer token has the roles associated with the token
encoded within the bearer token? (Plus the token is signed with the realm
key)
Yes, the roles are available in the access token. The access token is
JWT and contains various claims (attributes) of user as well as roles.
The database service translates roles from the token to JEE roles, which
is done by our adapter.
Marek
Or is there a back-channel conversation which I can't see in the
configuration, maybe derived from 'auth-server-url'?
Thank you for any thoughts!
Regards,
Simon
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user