FYI, in Wildfly 11 and Elytron identity propagation will be supported OOTB.
This is one of the main features brought to you by Elytron.
Your client should be able to authenticate with a remote server using a
OAuth2 Access Token (remoting + SASL OAUTHBEARER), which in turn can be
automatically propagated to other servers in the topology. In fact, you can
even propagate credentials if using other authentication mechanism such as
PLAIN or Kerberos.
On Wed, Jul 12, 2017 at 4:10 AM, Marek Posolda <mposolda(a)redhat.com> wrote:
Hi,
We have example in documentation for EJB propagation from web
application where Keycloak. See
https://keycloak.gitbooks.io/documentation/securing_apps/
topics/oidc/java/jboss-adapter.html
and especially the last paragraph "Security domain" .
We have unofficial example I've written to propagate identity from fat
client through remote EJB calls:
https://github.com/mposolda/keycloak-remote-ejb
Marek
On 04/07/17 18:42, Tech wrote:
> Dear experts,
>
> I want to bring you this use case to understand if you might be able to
> support me.
>
> Our architecture is based in java, where we might have two kind of
clients:
>
> * Fat java clients
> * Browsers
>
> Application servers with:
>
> * Web containers performing local and remote EJB calls + remote WS
calls
> * EJB container performing local and remote EJB calls + remote WS
calls
> * A remote EJB server performing local and remote EJB calls + remote
> WS calls
> * Ws implemeting SOAP or REST
> * Server SSO able to protect what described above
>
> The goal is to allow the clients (thin and fat) to authenticate on the
> SSO server and to propagate the user identity on these requests:
>
> * Fat client authenticated -> EJB secure -> WS secure
> * Browser authenticated -> Web container -> EJB secure -> WS secure
>
> The solution could use a secure token OAuth, OIDC or SAML.
>
> The token propagation should be based on standards JAAS and WS-Security.
>
> We saw that is possible to implement something similar in some SAML
> Login Modules on JBoss Enterprise server, but we are not finding
> anything equivalent in Keycloak.
>
> We cannot neither find, for example, not neither for a STS server, that
> are the required elements to transform this kind of tokens.
>
>
> Did anybody faced a similar experience?
>
> Thanks for your support!
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user