Re: [keycloak-user] Best way to get subject without adding it as request parameter in cross domain back end REST service

I am able to use a bearer token to call a java REST service from a pure javascript client. Unfortunately the KeycloakSecurityContext is essentially empty on the back end. I need to filter and update data by subject (idToken.subject) Initially I setup my back end REST application as a bearer token only application; thinking that was the problem, I switched to a confidential back end application but the KeycloakSecurityContext is still not populated. In order to communicate with the service in a cross domain way, I still need to send a bearer token, regardless of the type of application. I can get the subject in javascript and add it to the list of request parameters, however, it seems that leaves me open to anyone with a valid token being able to request another user's data. What is the best way to handle this kind of situation using Keycloak?