Hi Dmitry,
thanks for your answer and the link to your project! I will try this out.
Mit freundlichen Grüßen / With kind regards
David Herrmann
RD/UIA
Team Rising Stars
Daimler AG
HPC G464
70546 Stuttgart
Mobil: +49 176 309 369 87
What3Words Address:
entfalten.jüngste.nehmen
choppy.impact.moisture
E-Mail: david_christian.herrmann(a)daimler.com
Daimler AG
Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial
Register No. 19360
Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff
Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman),
Wolfgang Bernhard, Renata Jungo Brüngger, Ola Källenius, Wilfried Porth, Britta Seeger,
Hubertus Troska, Bodo Uebber
-----Ursprüngliche Nachricht-----
Von: Dmitry Telegin [mailto:dt@acutus.pro]
Gesendet: Montag, 17. Dezember 2018 05:09
An: Herrmann, David Christian (059) <david_christian.herrmann(a)daimler.com>;
keycloak-user(a)lists.jboss.org
Betreff: Re: [keycloak-user] Cross Realm authorization
Hello David,
Please take a look at how it is done in BeerCloak:
https://github.com/dteleguin/beercloak/tree/master/beercloak-module/src/m...
All the heavy lifting is done in AbstractAdminResource, and you can use it in your project
verbatim (you should only provide your own AdminAuth implementation). The whole purpose of
this is to allow master realm users to administer objects in non-master realms.
(Some musings: I dream of having AdminRealmResourceProvider with all that stuff OOTB; the
idea has been around for years, but I'm afraid we won't have it in Keycloak
anytime soon. Luckily, this can be done at a low price of introducing some boilerplate
code into your project.)
Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Fri, 2018-12-14 at 07:32 +0000, david_christian.herrmann(a)daimler.com wrote:
Hello,
we implemented a custom REST endpoint using RealmResourceProvider to search for users by
their attributes. We then secured the endpoint by using:
AuthenticationManager.AuthResult authResult =
authManager.authenticateBearerToken(session);
if (authResult == null) {
throw new NotAuthorizedException("Bearer token required"); }
And
if(!auth.hasClientRole(client,"view-users")){
throw new NotAuthorizedException("Necessary permission not
available"); }
We now have the problem, that we want to access the endpoint with technical users which
are in the master realm to separate them from the real end-users.
So the technical users get their access token from the master realm (which contains the
necessary resource permissions for the user realm) and then access the endpoint in the
user realm.
Here
AuthenticationManager.AuthResult authResult =
authManager.authenticateBearerToken(session);
if (authResult == null) {
throw new NotAuthorizedException("Bearer token required"); }
Always results in unauthorized.
Looking at the code and testing I think with authenticateBearerToken() cross realm
authentication is not possible. Correct? Do you have a suggestion how to achieve our
goal?
Mit freundlichen Grüßen / With kind regards
David Herrmann
RD/UIA
Team Rising Stars
[Computergenerierter Alternativtext: RDIU]
Daimler AG
HPC G464
70546 Stuttgart
Mobil: +49 176 309 369 87
What3Words Address:
ellbogen.sprüche.anfänge
> E-Mail:
> david_christian.herrmann@daimler.com<mailto:david_christian.herrmann
> @daimler.com>
Daimler AG
Sitz und Registergericht / Domicile and Court of Registry: Stuttgart;
HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats
/ Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board
of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang
Bernhard, Renata Jungo Brüngger, Ola Källenius, Wilfried Porth, Britta
Seeger, Hubertus Troska, Bodo Uebber
If you are not the addressee, please inform us immediately that you have received this
e-mail by mistake, and delete it. We thank you for your support.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
If you are not the addressee, please inform us immediately that you have received this
e-mail by mistake, and delete it. We thank you for your support.