Merged
The role mappings where missing in the test as the app didn't have a scope mapping. I
added full scope mappings for the app in
From: "Gary Brown" <gbrown(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: "Marek Posolda" <mposolda(a)redhat.com>, keycloak-user(a)lists.jboss.org
Sent: Friday, 28 November, 2014 4:19:43 PM
Subject: Re: [keycloak-user] REST services supporting basic auth and bearer tokens
Hi Stian and Marek
PR submitted:
https://github.com/keycloak/keycloak/pull/874
I've added a comment to the jira
(
https://issues.jboss.org/browse/KEYCLOAK-861) about roles - if whoever
reviews the PR could let me know.
Thanks.
Regards
Gary
----- Original Message -----
> I think in the long run if we try to show all features in the demo it'll
> end
> up getting to bloated. It's probably best to keep the demo to the core
> features (SSO, etc) and have separate basic examples (quickstarts?) for the
> rest.
>
> ----- Original Message -----
> > From: "Marek Posolda" <mposolda(a)redhat.com>
> > To: "Gary Brown" <gbrown(a)redhat.com>
> > Cc: "Stian Thorgersen" <stian(a)redhat.com>,
keycloak-user(a)lists.jboss.org
> > Sent: Thursday, 27 November, 2014 4:22:23 PM
> > Subject: Re: [keycloak-user] REST services supporting basic auth and
> > bearer
> > tokens
> >
> > Oki, sounds good to me.
> >
> > Marek
> >
> > On 27.11.2014 15:37, Gary Brown wrote:
> > > Hi Marek
> > >
> > > I was originally thinking the same - but it would complicate the demo
> > > more.
> > >
> > > Its possible that the database-service could simply be changed to
> > > support
> > > both bearer and basic auth, and then provide curl instructions to
> > > demonstrate basic auth access, but then there wouldn't be an example
> > > showing a bearer-only configuration.
> > >
> > > So assuming that a 'bearer-only' example is still required, then
having
> > > a
> > > completely independent basic auth example may be the next best thing -
> > > and
> > > then leave it as an exercise for the user to enable basic auth on the
> > > database-service?
> > >
> > > Regards
> > > Gary
> > >
> > > ----- Original Message -----
> > >> Sent previous email before I figured that you guys already decide on
> > >> something, so feel free to ignore me:-)
> > >>
> > >> On the other hand, it may be nice to show in the example that
> > >> particular
> > >> jaxrs endpoint is able to support both bearer and basic auth in same
> > >> application imo.
> > >>
> > >> Marek
> > >>
> > >> On 27.11.2014 15:26, Gary Brown wrote:
> > >>> Ok sounds good.
> > >>>
> > >>> ----- Original Message -----
> > >>>> Another option is to add a separate basic example outside of
the
> > >>>> demo,
> > >>>> like
> > >>>> what was done for multi-tenancy. A single jax-rs endpoint
that
> > >>>> supports
> > >>>> basic auth and an example curl command to invoke it?
> > >>>>
> > >>>> ----- Original Message -----
> > >>>>> From: "Gary Brown" <gbrown(a)redhat.com>
> > >>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
> > >>>>> Cc: "Marek Posolda"
<mposolda(a)redhat.com>,
> > >>>>> keycloak-user(a)lists.jboss.org
> > >>>>> Sent: Thursday, 27 November, 2014 2:59:46 PM
> > >>>>> Subject: Re: [keycloak-user] REST services supporting
basic auth
> > >>>>> and
> > >>>>> bearer
> > >>>>> tokens
> > >>>>>
> > >>>>> In terms of example, was thinking the database-service is
ideal -
> > >>>>> however
> > >>>>> I'm
> > >>>>> guessing it also needs to be shown as a
'bearer-only' example (as
> > >>>>> now).
> > >>>>>
> > >>>>> In the same way that there is multiple customer-apps, one
approach
> > >>>>> could
> > >>>>> be
> > >>>>> to have an alternate database-service supporting basic
auth as
> > >>>>> well,
> > >>>>> but
> > >>>>> then would also need a separate copy of the
testrealm.json.
> > >>>>>
> > >>>>> Thoughts?
> > >>>>>
> > >>>>> ----- Original Message -----
> > >>>>>> Great, if you do a PR include an example we can merge
it before a
> > >>>>>> 1.1.0.Beta2
> > >>>>>> release (probably next week)
> > >>>>>>
> > >>>>>> ----- Original Message -----
> > >>>>>>> From: "Gary Brown"
<gbrown(a)redhat.com>
> > >>>>>>> To: "Stian Thorgersen"
<stian(a)redhat.com>
> > >>>>>>> Cc: "Marek Posolda"
<mposolda(a)redhat.com>,
> > >>>>>>> keycloak-user(a)lists.jboss.org
> > >>>>>>> Sent: Thursday, 27 November, 2014 1:48:55 PM
> > >>>>>>> Subject: Re: [keycloak-user] REST services
supporting basic auth
> > >>>>>>> and
> > >>>>>>> bearer
> > >>>>>>> tokens
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> ----- Original Message -----
> > >>>>>>>> Looks good to me, but I'd like it to be an
optional feature that
> > >>>>>>>> is
> > >>>>>>>> enabled
> > >>>>>>>> in keycloak.json (should be disabled by
default).
> > >>>>>>> Sounds reasonable - I'll call the property
'enableBasicAuth'.
> > >>>>>>>
> > >>>>>>>> Another thing is that we should add an example
+ documentation
> > >>>>>>>> for
> > >>>>>>>> this
> > >>>>>>>> feature.
> > >>>>>>> Will do.
> > >>>>>>>
> > >>>>>>>> ----- Original Message -----
> > >>>>>>>>> From: "Gary Brown"
<gbrown(a)redhat.com>
> > >>>>>>>>> To: "Marek Posolda"
<mposolda(a)redhat.com>
> > >>>>>>>>> Cc: keycloak-user(a)lists.jboss.org
> > >>>>>>>>> Sent: Thursday, 27 November, 2014 10:58:21
AM
> > >>>>>>>>> Subject: Re: [keycloak-user] REST services
supporting basic
> > >>>>>>>>> auth
> > >>>>>>>>> and
> > >>>>>>>>> bearer
> > >>>>>>>>> tokens
> > >>>>>>>>>
> > >>>>>>>>> Hi Marek
> > >>>>>>>>>
> > >>>>>>>>> ----- Original Message -----
> > >>>>>>>>>> Hi,
> > >>>>>>>>>>
> > >>>>>>>>>> I am not 100% sure if having basic
auth with direct grant
> > >>>>>>>>>> directly
> > >>>>>>>>>> in
> > >>>>>>>>>> our adapters is way to go. Probably
yes as for your use-case
> > >>>>>>>>>> it
> > >>>>>>>>>> makes
> > >>>>>>>>>> sense, so I am slightly for push your
change as PR. But maybe
> > >>>>>>>>>> others
> > >>>>>>>>>> from team have different opinion.
> > >>>>>>>>>>
> > >>>>>>>>>> Earlier this week I've added
DirectAccessGrantsLoginModule to
> > >>>>>>>>>> KC
> > >>>>>>>>>> codebase, which is quite similar and
is intended to be used
> > >>>>>>>>>> for
> > >>>>>>>>>> non-web
> > >>>>>>>>>> applications (like SSH), which rely on
JAAS. But I guess that
> > >>>>>>>>>> using
> > >>>>>>>>>> this
> > >>>>>>>>>> one is not good option for you as you
want support for Basic
> > >>>>>>>>>> and
> > >>>>>>>>>> Bearer
> > >>>>>>>>>> authentication in same web
application, right?
> > >>>>>>>>> Thats correct.
> > >>>>>>>>>
> > >>>>>>>>>> Few more minor points to your
changes:
> > >>>>>>>>>> - Is it possible to use
net.iharder.Base64 instead of
> > >>>>>>>>>>
org.apache.commons.codec.binary.Base64? Whole KC code has
> > >>>>>>>>>> dependency
> > >>>>>>>>>> on
> > >>>>>>>>>> net.iharder, so would be likely better
to use this one to
> > >>>>>>>>>> avoid
> > >>>>>>>>>> possible
> > >>>>>>>>>> dependency issues in adapters.
> > >>>>>>>>> That shouldn't be a problem.
> > >>>>>>>>>
> > >>>>>>>>>> - Wonder if it's possible to
simplify a bit, like have single
> > >>>>>>>>>> "completeAuthentication"
method for both bearer and basic
> > >>>>>>>>>> authenticator
> > >>>>>>>>>> (afaik only difference among them is
different authMethod
> > >>>>>>>>>> right?).
> > >>>>>>>>>> But
> > >>>>>>>>>> this is really minor.
> > >>>>>>>>> Will do.
> > >>>>>>>>>
> > >>>>>>>>> I'll wait until mid next week before
doing any more on this, to
> > >>>>>>>>> see
> > >>>>>>>>> whether
> > >>>>>>>>> others have an opinion.
> > >>>>>>>>>
> > >>>>>>>>> If the PR was accepted, any chance it
could go into 1.1 even
> > >>>>>>>>> though
> > >>>>>>>>> in
> > >>>>>>>>> beta?
> > >>>>>>>>> If no, any idea what the timescale is for
1.2.beta1?
> > >>>>>>>>>
> > >>>>>>>>> Thanks for your feedback.
> > >>>>>>>>>
> > >>>>>>>>> Regards
> > >>>>>>>>> Gary
> > >>>>>>>>>
> > >>>>>>>>>> Marek
> > >>>>>>>>>>
> > >>>>>>>>>> On 26.11.2014 14:54, Gary Brown
wrote:
> > >>>>>>>>>>> Hi
> > >>>>>>>>>>>
> > >>>>>>>>>>> Concrete use case - we have
implemented the OASIS S-RAMP
> > >>>>>>>>>>> specification,
> > >>>>>>>>>>> in
> > >>>>>>>>>>> which it requires basic auth
support
> > >>>>>>>>>>>
(
http://docs.oasis-open.org/s-ramp/s-ramp/v1.0/s-ramp-v1.0-part2-atom-bind...
> > >>>>>>>>>>> section 5 "The S-RAMP
Specification does not attempt to
> > >>>>>>>>>>> define
> > >>>>>>>>>>> a
> > >>>>>>>>>>> security
> > >>>>>>>>>>> model for products that implement
it. For the Atom Binding,
> > >>>>>>>>>>> the
> > >>>>>>>>>>> only
> > >>>>>>>>>>> security requirement is that at a
minimum, client and server
> > >>>>>>>>>>> implementations MUST be capable of
being configured to use
> > >>>>>>>>>>> HTTP
> > >>>>>>>>>>> Basic
> > >>>>>>>>>>> Authentication in conjunction with
a connection made with
> > >>>>>>>>>>> TLS.").
> > >>>>>>>>>>>
> > >>>>>>>>>>> However we also need the same
service to support bearer
> > >>>>>>>>>>> token,
> > >>>>>>>>>>> for
> > >>>>>>>>>>> use
> > >>>>>>>>>>> within our KeyCloak SSO session.
> > >>>>>>>>>>>
> > >>>>>>>>>>> I've implemented a possible
solution, details defined on
> > >>>>>>>>>>>
https://issues.jboss.org/browse/KEYCLOAK-861.
> > >>>>>>>>>>>
> > >>>>>>>>>>> If this solution is on the right
path, I would appreciate any
> > >>>>>>>>>>> feedback
> > >>>>>>>>>>> on
> > >>>>>>>>>>> any changes that might be required
before submitting a PR.
> > >>>>>>>>>>> Currently
> > >>>>>>>>>>> there
> > >>>>>>>>>>> are no tests, but would aim to
provide some with the PR.
> > >>>>>>>>>>>
> > >>>>>>>>>>> Regards
> > >>>>>>>>>>> Gary
> > >>>>>>>>>>>
_______________________________________________
> > >>>>>>>>>>> keycloak-user mailing list
> > >>>>>>>>>>> keycloak-user(a)lists.jboss.org
> > >>>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>>>>>>>>
_______________________________________________
> > >>>>>>>>> keycloak-user mailing list
> > >>>>>>>>> keycloak-user(a)lists.jboss.org
> > >>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>>>>>>>>
> > >>
> >
> >
>