Re: [keycloak-user] Securing Angular + REST based app using keycloak OIDC

Hi Pulkit, Authentication happens on the front-end and the given bearer token is used for the bearer-only client to obtain protected resources. Implicit flow is just another way to obtain an access (bearer) token from Keycloak. I'm using the JS adapter and it works for both flows and does not affect the way your REST services work (includes token validation). I believe you should be good to go once you got your front-end Keycloak configuration setup correct. ________________________________________ From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org&gt; on behalf of Pulkit Gupta <pulgupta(a)redhat.com&gt; Sent: 30 May 2017 11:23 To: keycloak-user Subject: [keycloak-user] Securing Angular + REST based app using keycloak OIDC Hi All, We are looking to integrate an application with Keycloak. It is an Angular + REST application in which the REST services are developed in Java and are running on EAP 6. and the back end separately. The Angular front-end can be secured using JavaScript adapter which will check if a user has access token and in case not it will redirect it to Keycloak. Once the user acquires an access token , it send the same token to the REST services. We can configure REST service as a bearer only client which will check for the validity of the token against Keycloak and return the business data. We can use EAP 6 OIDC java adapter for Keycloak to secure the REST part. However their is one limitation that our setup only supports implicit flow. I am sure with Implicit flow we can achieve the angular side of the authentication. However I am not sure if we can make use of the Java OIDC adapter to actually validate and secure our rest APIs. Can you please guide me in case this is achievable with implicit flow. Regards, Pulkit _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user