Re: [keycloak-user] How to secure JAX-RS service based on reasteasy running on undertow

Hi Davide, I would suggest to change your flow a bit. You have frontend JEE servlet application, which is authenticated with Keycloak. So I think that you don't need any Keycloak accessTokens to be shared with your AngularJS dashboard at all. I would suggest that your AngularJS dashboard won't communicate directly with your JAX-RS backend application, but instead it will communicate just with your servlet JEE application, which will then re-send request to JAX-RS application with the usage of KeycloakSecurityContext as shown in the customer-portal example. So assuming that your frontend application is on "http://localhost:8080/frontend" and your JAX-RS is at "http://localhost:8080/backend" you can do: 1- The user call http://.../frontend 2- Thefrontendserver redirects to the keycloak login 3- Keycloak authenticates the user and redirects to frontendserver 4- The frontend server serves the AngularJS dashboard but NOT injecting the token (So angularJS and your browser don't have direct access to token at all) 5- User clicks to something in AngularJS app, which will send request to http://localhost:8080/frontend/someEndpoint 6- Frontend will re-send this to http://localhost:8080/backend/someBackendEndpoint similarly as shown in examples, which will ensure that frontend application will attach Bearer token to the request 7- After backend request is done and received in "frontend" app, it will resend it back to AngularJS with all the data. So your frontend app will be defacto proxy between AngularJS and "backend" JAX-RS application. With this design, you won't see any CORS related issues, which you currently have. And also you won't need to solve things like refreshing tokens etc. as this is done automatically by adapter of JEE frontend application. So that's my suggestion. Marek On 15.4.2014 01:43, Davide Ungari wrote: