4:31 a.m.
I have a suite of spring applications that are using keycloak for authentication. I'm
using the Keycloak spring security adapter and have my successfully secured the endpoints
that I want to. I have situations where I need Application A to make a call to a secured
endpoint on Application B. I am able to do this client to client communication by using
the KeycloakRestTemplate but only when a user calls Application A with a valid token.
Application A also has a process that will call Application B without user interaction.
When this is done I get an error "java.lang.IllegalStateException: Cannot set
authorization header because there is no authenticated principal". This makes sense
since I don't have a valid user token.
Application A and Application B use the same client in keycloak and it is set to be a
confidential client. I have tried it with and without having service accounts enabled.
Some questions I have are:
1. How do I have applications (not users) call a secured REST endpoint?
2. Do the provided keycloak adapters (like the spring security adapter) provide this
functionality?
3. Do I need an additional client account to do this?
4. Are there any libraries that handle refreshing these tokens or automatically obtaining
one if it doesn't exist?
I see lots of examples on how a user can access a secured service, but not much on an
application accessing a secured service.
6:45 a.m.
(including mailing list)
On Thu, Dec 1, 2016 at 8:31 PM, Matt H <tsdgcc2087(a)outlook.com> wrote:
I have a suite of spring applications that are using keycloak for
authentication. I'm using the Keycloak spring security adapter and have my
successfully secured the endpoints that I want to. I have situations where
I need Application A to make a call to a secured endpoint on Application
B. I am able to do this client to client communication by using the
KeycloakRestTemplate but only when a user calls Application A with a valid
token.
Application A also has a process that will call Application B without user
interaction. When this is done I get an error "java.lang.IllegalStateException:
Cannot set authorization header because there is no authenticated
principal". This makes sense since I don't have a valid user token.
Application A and Application B use the same client in keycloak and it is
set to be a confidential client. I have tried it with and without having
service accounts enabled.
When you say "with service accounts enabled", have you followed all the
instructions from here https://keycloak.gitbooks.io/
server-adminstration-guide/content/topics/clients/oidc/service-accounts.html
, meaning also calling the /{server-root-usualy-auth}/
realms/{realm-name}/protocol/openid-connect/token endpoint in order to
retrieve a valid token ?
Some questions I have are:
1. How do I have applications (not users) call a secured REST endpoint?
2. Do the provided keycloak adapters (like the spring security adapter)
provide this functionality?
3. Do I need an additional client account to do this?
4. Are there any libraries that handle refreshing these tokens or
automatically obtaining one if it doesn't exist?
I see lots of examples on how a user can access a secured service, but not
much on an application accessing a secured service.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:58 a.m.
Yes, I was looking at that guide. I knew how to go to the keycloak token endpoint and get
a token. I wasn't sure if this is the way it needed to be done, or if It could be
done through the provided adapters.
When the adapters are already being used, and it knows of your client and secret already,
it seemed like a lot of overhead to go out to keycloak some other way and make sure that
token is not expired (along with re-issuing a token logic), then make the call. If this
is the required way, that's fine.
________________________________
From: Sebastien Blanc <sblanc(a)redhat.com>
Sent: Thursday, December 1, 2016 3:45 PM
To: Matt H
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] How to access secured REST endpoint from
keycloak-spring-security-adapter
(including mailing list)
On Thu, Dec 1, 2016 at 8:31 PM, Matt H
<tsdgcc2087@outlook.com<mailto:tsdgcc2087@outlook.com>> wrote:
I have a suite of spring applications that are using keycloak for authentication. I'm
using the Keycloak spring security adapter and have my successfully secured the endpoints
that I want to. I have situations where I need Application A to make a call to a secured
endpoint on Application B. I am able to do this client to client communication by using
the KeycloakRestTemplate but only when a user calls Application A with a valid token.
Application A also has a process that will call Application B without user interaction.
When this is done I get an error "java.lang.IllegalStateException: Cannot set
authorization header because there is no authenticated principal". This makes sense
since I don't have a valid user token.
Application A and Application B use the same client in keycloak and it is set to be a
confidential client. I have tried it with and without having service accounts enabled.
When you say "with service accounts enabled", have you followed all the
instructions from here
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/cl...
, meaning also calling the
/{server-root-usualy-auth}/realms/{realm-name}/protocol/openid-connect/token endpoint in
order to retrieve a valid token ?
Some questions I have are:
1. How do I have applications (not users) call a secured REST endpoint?
2. Do the provided keycloak adapters (like the spring security adapter) provide this
functionality?
3. Do I need an additional client account to do this?
4. Are there any libraries that handle refreshing these tokens or automatically obtaining
one if it doesn't exist?
I see lots of examples on how a user can access a secured service, but not much on an
application accessing a secured service.
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:04 p.m.
There is one way you can leverage the adapter for this , is using this
method :
ClientCredentialsProviderUtils.setClientCredentials(deployment, reqHeaders,
reqParams);
This way, you don't have to worry about passing your credentials. But it's
worth thinking on how we can enhance the developer experience in this area,
if you have some ideas feels free to share them and I will also open a
ticket to track this.
On Thu, Dec 1, 2016 at 10:58 PM, Matt H <tsdgcc2087(a)outlook.com> wrote:
Yes, I was looking at that guide. I knew how to go to the keycloak
token
endpoint and get a token. I wasn't sure if this is the way it needed to be
done, or if It could be done through the provided adapters.
When the adapters are already being used, and it knows of your client and
secret already, it seemed like a lot of overhead to go out to keycloak some
other way and make sure that token is not expired (along with re-issuing a
token logic), then make the call. If this is the required way, that's fine.
------------------------------
*From:* Sebastien Blanc <sblanc(a)redhat.com>
*Sent:* Thursday, December 1, 2016 3:45 PM
*To:* Matt H
*Cc:* keycloak-user(a)lists.jboss.org
*Subject:* Re: [keycloak-user] How to access secured REST endpoint from
keycloak-spring-security-adapter
(including mailing list)
On Thu, Dec 1, 2016 at 8:31 PM, Matt H <tsdgcc2087(a)outlook.com> wrote:
> I have a suite of spring applications that are using keycloak for
> authentication. I'm using the Keycloak spring security adapter and have my
> successfully secured the endpoints that I want to. I have situations where
> I need Application A to make a call to a secured endpoint on Application
> B. I am able to do this client to client communication by using the
> KeycloakRestTemplate but only when a user calls Application A with a valid
> token.
>
>
> Application A also has a process that will call Application B without
> user interaction. When this is done I get an error
> "java.lang.IllegalStateException: Cannot set authorization header
> because there is no authenticated principal". This makes sense since I
> don't have a valid user token.
>
>
> Application A and Application B use the same client in keycloak and it is
> set to be a confidential client. I have tried it with and without having
> service accounts enabled.
>
When you say "with service accounts enabled", have you followed all the
instructions from here https://keycloak.gitbooks.io/s
erver-adminstration-guide/content/topics/clients/oidc/servic
e-accounts.html , meaning also calling the /{server-root-usualy-auth}/rea
lms/{realm-name}/protocol/openid-connect/token endpoint in order to
retrieve a valid token ?
>
>
> Some questions I have are:
>
> 1. How do I have applications (not users) call a secured REST endpoint?
>
> 2. Do the provided keycloak adapters (like the spring security adapter)
> provide this functionality?
>
> 3. Do I need an additional client account to do this?
>
> 4. Are there any libraries that handle refreshing these tokens or
> automatically obtaining one if it doesn't exist?
>
>
> I see lots of examples on how a user can access a secured service, but
> not much on an application accessing a secured service.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
2713
days inactive
2714
days old
3 comments
2 participants
participants (2)
-
Matt H -
Sebastien Blanc