So if I understand correctly, if the REST service is running in (for instance) Tomcat, then I can use the standard Tomcat adapter to protect it, but use:
"bearer-only" : true
as part of the configuration, as described here:
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config

Also, regarding those options, its not clear to me what public-client means. Does that mean that there is no authentication at all? e.g. bypass keycloak completely?

Tim


On 06/01/2016 08:23, Stian Thorgersen wrote:

The rest service doesn't check what client obtained the token only the realm/signature and that it contains the required roles.

On 5 Jan 2016 10:20, "Tim Dudgeon" <tdudgeon.ml@gmail.com> wrote:
On 05/01/2016 07:36, Stian Thorgersen wrote:


On 1 January 2016 at 11:52, Tim Dudgeon <tdudgeon.ml@gmail.com> wrote:
The user docs (http://keycloak.github.io/docs/userguide/keycloak-server/html/Overview.html#d4e54) describe exactly what I'm looking for:
Signed access tokens can also be propagated by REST client requests within an Authorization header. This is great for distributed integration as applications can request a login from a client to obtain an access token, then invoke any aggregated REST invocations to other services using that access token.
I have a web app (in Tomcat) that uses the Keycloak adapter for user authentication.
This web app needs to access a REST service, running in a different Tomcat container and I want  the REST service to use the same user authentication, but I'm not totally sure about how to go about this.
Do I just grab the keycloak token in the header in the web app and add that as a header when calling the REST service, and set the REST service up to use the same Keycloak adapter configuration as the web app?

You could or you can get the token from the adapter. Take a look at:

Thanks. That's useful.

 

What if I want to have other ways to authenticate the REST service (e.g. access from multiple clients)?

Not sure what you mean about this

For example, lets assume we have 2 apps, authenticating against the same Keycloak realm, but as separate clients.
Both hit the same REST service and pass through their token to that service.
How is the REST service to authenticate the requests?
All it really needs to to is check that the tokens are valid and come from the expected (keycloak) source, even though the tokens were generated for different clients.
Is there an adapter that handles this?

Tim
 


Tim





_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user