2:15 p.m.
Hi,
I’m using Keycloak direct grant login to my REST APIs and I need to get authenticated user
information for auditing purpose.
At my REST implementation class I can get access token from HTTP header by using a request
interceptor, but I believe that token is useless for auditing.
Is there Keycloak REST API to get id token for the access token?
Thank you in advance
Andrey Ryvlin
Sr. Software Engineer
________________________________
This message is only for the use of the intended recipient and may contain information
that is CONFIDENTIAL and PROPRIETARY to MorphoTrust USA, Inc. If you are not the intended
recipient, please erase all copies of the message and its attachments and notify the
sender immediately.
2:20 p.m.
Our access tokens are actually JsonWebTokens packaged in a Json Web
Signature. Direct Grant login should also return an IDToken within the
Access Token Response.
On 4/3/2015 3:15 PM, Ryvlin, Andrey wrote:
Hi,
I’m using Keycloak direct grant login to my REST APIs and I need to get
authenticated user information for auditing purpose.
At my REST implementation class I can get access token from HTTP header
by using a request interceptor, but I believe that token is useless for
auditing.
Is there Keycloak REST API to get id token for the access token?
Thank you in advance
Andrey Ryvlin
Sr. Software Engineer
------------------------------------------------------------------------
This message is only for the use of the intended recipient and may
contain information that is CONFIDENTIAL and PROPRIETARY to MorphoTrust
USA, Inc. If you are not the intended recipient, please erase all copies
of the message and its attachments and notify the sender immediately.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
2:29 p.m.
Can I get user id from the access token?
That's the only token I can get from HTTP Authorization header. Actual login and
getting login response happens earlier, at my web application or oauth client.
So, at my REST implementation class I only have access token.
Thanks!!
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Bill Burke
Sent: Friday, April 03, 2015 2:20 PM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Exchange access token to id token
Our access tokens are actually JsonWebTokens packaged in a Json Web Signature. Direct
Grant login should also return an IDToken within the Access Token Response.
On 4/3/2015 3:15 PM, Ryvlin, Andrey wrote:
Hi,
I’m using Keycloak direct grant login to my REST APIs and I need to
get authenticated user information for auditing purpose.
At my REST implementation class I can get access token from HTTP
header by using a request interceptor, but I believe that token is
useless for auditing.
Is there Keycloak REST API to get id token for the access token?
Thank you in advance
Andrey Ryvlin
Sr. Software Engineer
----------------------------------------------------------------------
--
This message is only for the use of the intended recipient and may
contain information that is CONFIDENTIAL and PROPRIETARY to
MorphoTrust USA, Inc. If you are not the intended recipient, please
erase all copies of the message and its attachments and notify the sender immediately.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
________________________________
This message is only for the use of the intended recipient and may contain information
that is CONFIDENTIAL and PROPRIETARY to MorphoTrust USA, Inc. If you are not the intended
recipient, please erase all copies of the message and its attachments and notify the
sender immediately.
2:40 p.m.
Oh, you have a REST service being invoked on? And you want to get claim
information? Yes, you can get the access token.
AccessToken accessToken =
((KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName())).getToken();
request here is HttpServetRequest
On 4/3/2015 3:29 PM, Ryvlin, Andrey wrote:
Can I get user id from the access token?
That's the only token I can get from HTTP Authorization header. Actual login and
getting login response happens earlier, at my web application or oauth client.
So, at my REST implementation class I only have access token.
Thanks!!
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org
[mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Bill Burke
Sent: Friday, April 03, 2015 2:20 PM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Exchange access token to id token
Our access tokens are actually JsonWebTokens packaged in a Json Web Signature. Direct
Grant login should also return an IDToken within the Access Token Response.
On 4/3/2015 3:15 PM, Ryvlin, Andrey wrote:
> Hi,
>
> I’m using Keycloak direct grant login to my REST APIs and I need to
> get authenticated user information for auditing purpose.
>
> At my REST implementation class I can get access token from HTTP
> header by using a request interceptor, but I believe that token is
> useless for auditing.
>
> Is there Keycloak REST API to get id token for the access token?
>
> Thank you in advance
>
> Andrey Ryvlin
>
> Sr. Software Engineer
>
>
> ----------------------------------------------------------------------
> --
>
> This message is only for the use of the intended recipient and may
> contain information that is CONFIDENTIAL and PROPRIETARY to
> MorphoTrust USA, Inc. If you are not the intended recipient, please
> erase all copies of the message and its attachments and notify the sender
immediately.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
________________________________
This message is only for the use of the intended recipient and may contain information
that is CONFIDENTIAL and PROPRIETARY to MorphoTrust USA, Inc. If you are not the intended
recipient, please erase all copies of the message and its attachments and notify the
sender immediately.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11:42 a.m.
Hi Bill,
I need you help!
I created a demo rest service with Keycloak role based security. I use OAuth client to
obtain token, which I pass into the request header.
Everything works fine, I pass all security constraints and REST endpoint gets executed.
Now I am trying to get access token from the request as you suggested:
AccessToken accessToken =
((KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName())).getToken();
But request.getAttribute(KeycloakSecurityContext.class.getName() returns null;
Here is the code of my REST WS class:
@Path("/")
public class SampleDataService {
@Context HttpServletRequest servletRequest;
@GET
@Path("/query")
@Produces("text/plain")
public String getData() {
Enumeration<String>attributes = servletRequest.getAttributeNames();
StringBuilder names = new StringBuilder("Attributes: ");
while (attributes.hasMoreElements()) {
names.append( (String) attributes.nextElement());
names.append(", ");
}
System.out.println("Keycloak security context:
"+servletRequest.getAttribute(KeycloakSecurityContext.class.getName()));
System.out.println("Request "+names.toString());
return "Sample data for id ";
}
Console output is like this:
11:28:22,400 DEBUG [org.apache.catalina.realm.RealmBase] (http-/0.0.0.0:8080-1) Checking
constraint 'SecurityConstraint[Admins]' against GET /query --> true
11:28:22,401 DEBUG [org.apache.catalina.realm.RealmBase] (http-/0.0.0.0:8080-1) Checking
constraint 'SecurityConstraint[Admins]' against GET /query --> true
11:28:22,401 DEBUG [org.apache.catalina.realm.RealmBase] (http-/0.0.0.0:8080-1) Checking
constraint 'SecurityConstraint[Admins]' against GET /query --> true
11:28:22,401 DEBUG [org.apache.catalina.realm.RealmBase] (http-/0.0.0.0:8080-1) Checking
constraint 'SecurityConstraint[Admins]' against GET /query --> true
11:28:22,401 DEBUG [org.apache.catalina.realm.RealmBase] (http-/0.0.0.0:8080-1) No
applicable constraint located
11:28:22,401 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
(http-/0.0.0.0:8080-1) Not subject to any constraint
11:28:22,401 DEBUG [org.keycloak.adapters.tomcat.AuthenticatedActionsValve]
(http-/0.0.0.0:8080-1) AuthenticatedActionsValve.invoke /audit/query
11:28:22,401 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler]
(http-/0.0.0.0:8080-1) AuthenticatedActionsValve.invoke http://localhost:8080/audit/query
11:28:22,402 INFO [stdout] (http-/0.0.0.0:8080-1) Keycloak security context: null
11:28:22,403 INFO [stdout] (http-/0.0.0.0:8080-1) Request Attributes:
RESTEASY_CHOSEN_ACCEPT, org.jboss.resteasy.core.ResourceMethodInvoker,
Please advise.
Thanks?
-----------------
Andrey Ryvlin
Principal Software Engineer
Phone: 952-979-8492
5705 W Old Shakopee Road, Suite 100
Bloomington, MN 55437 USA
ARyvlin(a)MorphoTrust.com
www.MorphoTrust.com
-----Original Message-----
From: Bill Burke [mailto:bburke@redhat.com]
Sent: Friday, April 03, 2015 2:40 PM
To: Ryvlin, Andrey; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Exchange access token to id token
Oh, you have a REST service being invoked on? And you want to get claim information?
Yes, you can get the access token.
AccessToken accessToken =
((KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName())).getToken();
request here is HttpServetRequest
On 4/3/2015 3:29 PM, Ryvlin, Andrey wrote:
Can I get user id from the access token?
That's the only token I can get from HTTP Authorization header. Actual login and
getting login response happens earlier, at my web application or oauth client.
So, at my REST implementation class I only have access token.
Thanks!!
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org
[mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Bill Burke
Sent: Friday, April 03, 2015 2:20 PM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Exchange access token to id token
Our access tokens are actually JsonWebTokens packaged in a Json Web Signature. Direct
Grant login should also return an IDToken within the Access Token Response.
On 4/3/2015 3:15 PM, Ryvlin, Andrey wrote:
> Hi,
>
> I’m using Keycloak direct grant login to my REST APIs and I need to
> get authenticated user information for auditing purpose.
>
> At my REST implementation class I can get access token from HTTP
> header by using a request interceptor, but I believe that token is
> useless for auditing.
>
> Is there Keycloak REST API to get id token for the access token?
>
> Thank you in advance
>
> Andrey Ryvlin
>
> Sr. Software Engineer
>
>
> ----------------------------------------------------------------------
> --
>
> This message is only for the use of the intended recipient and may
> contain information that is CONFIDENTIAL and PROPRIETARY to
> MorphoTrust USA, Inc. If you are not the intended recipient, please
> erase all copies of the message and its attachments and notify the sender
immediately.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
________________________________
This message is only for the use of the intended recipient and may contain information
that is CONFIDENTIAL and PROPRIETARY to MorphoTrust USA, Inc. If you are not the intended
recipient, please erase all copies of the message and its attachments and notify the
sender immediately.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
7:42 p.m.
Never mind, I figured it out. Got token from the request header and converted it to
AccessToken object
Thanks anyways!
-----Original Message-----
From: Ryvlin, Andrey
Sent: Thursday, April 23, 2015 11:43 AM
To: Bill Burke; keycloak-user(a)lists.jboss.org
Subject: RE: [keycloak-user] Exchange access token to id token
Hi Bill,
I need you help!
I created a demo rest service with Keycloak role based security. I use OAuth client to
obtain token, which I pass into the request header.
Everything works fine, I pass all security constraints and REST endpoint gets executed.
Now I am trying to get access token from the request as you suggested:
AccessToken accessToken =
((KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName())).getToken();
But request.getAttribute(KeycloakSecurityContext.class.getName() returns null;
Here is the code of my REST WS class:
@Path("/")
public class SampleDataService {
@Context HttpServletRequest servletRequest;
@GET
@Path("/query")
@Produces("text/plain")
public String getData() {
Enumeration<String>attributes = servletRequest.getAttributeNames();
StringBuilder names = new StringBuilder("Attributes: ");
while (attributes.hasMoreElements()) {
names.append( (String) attributes.nextElement());
names.append(", ");
}
System.out.println("Keycloak security context:
"+servletRequest.getAttribute(KeycloakSecurityContext.class.getName()));
System.out.println("Request "+names.toString());
return "Sample data for id ";
}
Console output is like this:
11:28:22,400 DEBUG [org.apache.catalina.realm.RealmBase] (http-/0.0.0.0:8080-1) Checking
constraint 'SecurityConstraint[Admins]' against GET /query --> true
11:28:22,401 DEBUG [org.apache.catalina.realm.RealmBase] (http-/0.0.0.0:8080-1) Checking
constraint 'SecurityConstraint[Admins]' against GET /query --> true
11:28:22,401 DEBUG [org.apache.catalina.realm.RealmBase] (http-/0.0.0.0:8080-1) Checking
constraint 'SecurityConstraint[Admins]' against GET /query --> true
11:28:22,401 DEBUG [org.apache.catalina.realm.RealmBase] (http-/0.0.0.0:8080-1) Checking
constraint 'SecurityConstraint[Admins]' against GET /query --> true
11:28:22,401 DEBUG [org.apache.catalina.realm.RealmBase] (http-/0.0.0.0:8080-1) No
applicable constraint located
11:28:22,401 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
(http-/0.0.0.0:8080-1) Not subject to any constraint
11:28:22,401 DEBUG [org.keycloak.adapters.tomcat.AuthenticatedActionsValve]
(http-/0.0.0.0:8080-1) AuthenticatedActionsValve.invoke /audit/query
11:28:22,401 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler]
(http-/0.0.0.0:8080-1) AuthenticatedActionsValve.invoke http://localhost:8080/audit/query
11:28:22,402 INFO [stdout] (http-/0.0.0.0:8080-1) Keycloak security context: null
11:28:22,403 INFO [stdout] (http-/0.0.0.0:8080-1) Request Attributes:
RESTEASY_CHOSEN_ACCEPT, org.jboss.resteasy.core.ResourceMethodInvoker,
Please advise.
Thanks?
-----------------
Andrey Ryvlin
Principal Software Engineer
Phone: 952-979-8492
5705 W Old Shakopee Road, Suite 100
Bloomington, MN 55437 USA
ARyvlin(a)MorphoTrust.com
www.MorphoTrust.com
-----Original Message-----
From: Bill Burke [mailto:bburke@redhat.com]
Sent: Friday, April 03, 2015 2:40 PM
To: Ryvlin, Andrey; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Exchange access token to id token
Oh, you have a REST service being invoked on? And you want to get claim information?
Yes, you can get the access token.
AccessToken accessToken =
((KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName())).getToken();
request here is HttpServetRequest
On 4/3/2015 3:29 PM, Ryvlin, Andrey wrote:
Can I get user id from the access token?
That's the only token I can get from HTTP Authorization header. Actual login and
getting login response happens earlier, at my web application or oauth client.
So, at my REST implementation class I only have access token.
Thanks!!
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org
[mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Bill Burke
Sent: Friday, April 03, 2015 2:20 PM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Exchange access token to id token
Our access tokens are actually JsonWebTokens packaged in a Json Web Signature. Direct
Grant login should also return an IDToken within the Access Token Response.
On 4/3/2015 3:15 PM, Ryvlin, Andrey wrote:
> Hi,
>
> I’m using Keycloak direct grant login to my REST APIs and I need to
> get authenticated user information for auditing purpose.
>
> At my REST implementation class I can get access token from HTTP
> header by using a request interceptor, but I believe that token is
> useless for auditing.
>
> Is there Keycloak REST API to get id token for the access token?
>
> Thank you in advance
>
> Andrey Ryvlin
>
> Sr. Software Engineer
>
>
> ---------------------------------------------------------------------
> -
> --
>
> This message is only for the use of the intended recipient and may
> contain information that is CONFIDENTIAL and PROPRIETARY to
> MorphoTrust USA, Inc. If you are not the intended recipient, please
> erase all copies of the message and its attachments and notify the sender
immediately.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
________________________________
This message is only for the use of the intended recipient and may contain information
that is CONFIDENTIAL and PROPRIETARY to MorphoTrust USA, Inc. If you are not the intended
recipient, please erase all copies of the message and its attachments and notify the
sender immediately.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3552
days inactive
3573
days old
5 comments
2 participants
participants (2)
-
Bill Burke -
Ryvlin, Andrey