On 12/16/2015 9:37 AM, Erik Mulder wrote: > Seems like a simple scenario, but I can't figure it out: I have an > instance of the KeycloakSession and I want to get the UserModel for the > current request. Is this possible? > > Context: I'm creating a custom REST service that runs inside keycloak > and needs to get some data that is related to the current authenticated > user. For instance the realm and client I can get through the > session.getContext().getClient/Realm(). I would expect a getUser() there > too, but I can't find it anywhere 'in' the session. > > If this isn't possible, shouldn't it be? Or if not, why not? > I'm assuming this REST request is from a browser Javascript client? Login sessions are maintained only through a cookie. You'd have to login through the browser first, then read the cookie. BTW, cookies are a really bad way of securing a REST interface. Your REST interface becomes vulnerable to CSRF attacks. I suggest you use a token to secure your REST interface. If you are already using keycloak.js to login in, you can obtain the token from the Keycloak javascript interface and use that to invoke your service.

Thanks, but I'm not sure I understand you correctly. Let me clearify: - I'm extending the Keycloak REST webservices with some custom resources, for instance: http://127.0.0.1:8080/auth/realms/<realmId>/docdata/<myResource> (a piece of code from Pedro made this possible) - I'm implementing an SPI (also from Pedro's change) that gets a KeycloakSession object to 'work with'. - I do authenticate on the keycloak server using a token (OpenID Connect) that I got from a previous succesful login. - Somewhere in the Keycloak internals this token is validated and a User(Model/Session) is found that corresponds to this token. - <assumption>: This User is saved somewhere in the session context Now, my question is: How can I get hold of this User(Model/Session), given that I have just a KeycloakSession object? Through debugging I see that session.sessions() has a UserSessionEntity for my current request, but since there might be more at the same time, how can I relate my current request to the one User that is associated with it? On 16/12/15 15:52, Bill Burke wrote: > On 12/16/2015 9:37 AM, Erik Mulder wrote: >> Seems like a simple scenario, but I can't figure it out: I have an >> instance of the KeycloakSession and I want to get the UserModel for the >> current request. Is this possible? >> >> Context: I'm creating a custom REST service that runs inside keycloak >> and needs to get some data that is related to the current authenticated >> user. For instance the realm and client I can get through the >> session.getContext().getClient/Realm(). I would expect a getUser() there >> too, but I can't find it anywhere 'in' the session. >> >> If this isn't possible, shouldn't it be? Or if not, why not? >> > I'm assuming this REST request is from a browser Javascript client? > Login sessions are maintained only through a cookie. You'd have to > login through the browser first, then read the cookie. > > BTW, cookies are a really bad way of securing a REST interface. Your > REST interface becomes vulnerable to CSRF attacks. I suggest you use a > token to secure your REST interface. If you are already using > keycloak.js to login in, you can obtain the token from the Keycloak > javascript interface and use that to invoke your service. > > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Thanks Fabricio, that sounds like the sort of thing I'm looking for, but I have nothing else in scope than the KeycloakSession object. @Bill: My question is independent from the changes of Pedro. So let's try it once more: how can I get the User(Model) of the authenticated user of the current request, if I just have a reference to the KeycloakSession? It seems to me that this should be possible, but there seems to be no way to do it. Maybe there should be a getUser() added on the KeycloakContext? On 16/12/15 22:40, Fabricio Milone wrote: Hi Erik, I did something similar but in my case I have the username as a form attribute in the request, so if it possible in your scenario to get the username as a string, this is one possible solution: UserModel user = session.users().getUserByUsername(*username*, session.realms().getRealmByName(realm.getName())); Not 100% sure if that's what you need, I hope it is :) Regards, Fab On 17 December 2015 at 02:34, Erik Mulder <erik.mulder(a)docdatapayments.com > wrote: > Thanks, but I'm not sure I understand you correctly. Let me clearify: > - I'm extending the Keycloak REST webservices with some custom > resources, for instance: > http://127.0.0.1:8080/auth/realms/<realmId>/docdata/<myResource> (a > piece of code from Pedro made this possible) > - I'm implementing an SPI (also from Pedro's change) that gets a > KeycloakSession object to 'work with'. > - I do authenticate on the keycloak server using a token (OpenID > Connect) that I got from a previous succesful login. > - Somewhere in the Keycloak internals this token is validated and a > User(Model/Session) is found that corresponds to this token. > - <assumption>: This User is saved somewhere in the session context > > Now, my question is: How can I get hold of this User(Model/Session), > given that I have just a KeycloakSession object? > > Through debugging I see that session.sessions() has a UserSessionEntity > for my current request, but since there might be more at the same time, > how can I relate my current request to the one User that is associated > with it? > > > > On 16/12/15 15:52, Bill Burke wrote: > > On 12/16/2015 9:37 AM, Erik Mulder wrote: > >> Seems like a simple scenario, but I can't figure it out: I have an > >> instance of the KeycloakSession and I want to get the UserModel for the > >> current request. Is this possible? > >> > >> Context: I'm creating a custom REST service that runs inside keycloak > >> and needs to get some data that is related to the current authenticated > >> user. For instance the realm and client I can get through the > >> session.getContext().getClient/Realm(). I would expect a getUser() > there > >> too, but I can't find it anywhere 'in' the session. > >> > >> If this isn't possible, shouldn't it be? Or if not, why not? > >> > > I'm assuming this REST request is from a browser Javascript client? > > Login sessions are maintained only through a cookie. You'd have to > > login through the browser first, then read the cookie. > > > > BTW, cookies are a really bad way of securing a REST interface. Your > > REST interface becomes vulnerable to CSRF attacks. I suggest you use a > > token to secure your REST interface. If you are already using > > keycloak.js to login in, you can obtain the token from the Keycloak > > javascript interface and use that to invoke your service. > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user