4:58 p.m.
Hello,
We have an application that is protected using Keycloak and a user can
access this application through a web front. After login the user can use
the functionality of the application. The application is also exposed
through REST API's and is protected via keycloak as part of the application
and accessible only after login into the main application.
We have a
(Step 1) Javascript application (retrieving data from) ->
(Step 2) Business Application exposed as REST API (REST API has to make
calls to backend Application mentioned above) ->
(Step 3) BackEnd Application Server + REST API.
Directly accessing the BackEnd Application Server works fine but when we
need to call the REST API from another REST service which is authenticated
via Keycloak we have issues.
We used the existing sample to try and do a POC but not sure what is the
best approach to solve this issue. The part from (Step 1) to (Step 2) works
and the REST API is protected using BEARER token. The (Step 2) to (Step 3)
is a problem as in (Step 2) we only have the BEARER token and the BackEnd
Application is protected using the full keycloak configuration. So The
BackEnd Application service is not authenticating by sending in only the
BEARER token in the header which is a full keycloak installation (work as
only a web service).
Thanks
Sam
5:42 p.m.
Should work. You'll have to actually describe what your problem is or I
can't help you. I'll take a guess though:
Keycloak doesn't propagate the Authorization bearer token header
automatically when you have multiple REST "hops" between multiple
servers You'll have to obtain the access token and set up the HTTP
header manually. The demo customer-portal example in the distro does
exactly this, so take a look at that for more details.
On 9/5/2014 10:58 AM, Red Samh wrote:
Hello,
We have an application that is protected using Keycloak and a user can
access this application through a web front. After login the user can
use the functionality of the application. The application is also
exposed through REST API's and is protected via keycloak as part of the
application and accessible only after login into the main application.
We have a
(Step 1) Javascript application (retrieving data from) ->
(Step 2) Business Application exposed as REST API (REST API has to make
calls to backend Application mentioned above) ->
(Step 3) BackEnd Application Server + REST API.
Directly accessing the BackEnd Application Server works fine but when we
need to call the REST API from another REST service which is
authenticated via Keycloak we have issues.
We used the existing sample to try and do a POC but not sure what is the
best approach to solve this issue. The part from (Step 1) to (Step 2)
works and the REST API is protected using BEARER token. The (Step 2) to
(Step 3) is a problem as in (Step 2) we only have the BEARER token and
the BackEnd Application is protected using the full keycloak
configuration. So The BackEnd Application service is not authenticating
by sending in only the BEARER token in the header which is a full
keycloak installation (work as only a web service).
Thanks
Sam
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
5:49 p.m.
Bill,
Thanks for the reply.
Yes it works when I have to call REST to another REST service and any
number of hops. The problem is calling a full fledged application from a
REST service that I have the issue. When it is an application that is both
Web App + REST and I add the authorization header (bearer) I get an
unauthorized 401 (blackbox in the attachment).
Thanks
Sam
On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke <bburke(a)redhat.com> wrote:
Should work. You'll have to actually describe what your problem
is or I
can't help you. I'll take a guess though:
Keycloak doesn't propagate the Authorization bearer token header
automatically when you have multiple REST "hops" between multiple
servers You'll have to obtain the access token and set up the HTTP
header manually. The demo customer-portal example in the distro does
exactly this, so take a look at that for more details.
On 9/5/2014 10:58 AM, Red Samh wrote:
> Hello,
>
> We have an application that is protected using Keycloak and a user can
> access this application through a web front. After login the user can
> use the functionality of the application. The application is also
> exposed through REST API's and is protected via keycloak as part of the
> application and accessible only after login into the main application.
>
> We have a
>
> (Step 1) Javascript application (retrieving data from) ->
>
> (Step 2) Business Application exposed as REST API (REST API has to make
> calls to backend Application mentioned above) ->
>
> (Step 3) BackEnd Application Server + REST API.
>
> Directly accessing the BackEnd Application Server works fine but when we
> need to call the REST API from another REST service which is
> authenticated via Keycloak we have issues.
>
> We used the existing sample to try and do a POC but not sure what is the
> best approach to solve this issue. The part from (Step 1) to (Step 2)
> works and the REST API is protected using BEARER token. The (Step 2) to
> (Step 3) is a problem as in (Step 2) we only have the BEARER token and
> the BackEnd Application is protected using the full keycloak
> configuration. So The BackEnd Application service is not authenticating
> by sending in only the BEARER token in the header which is a full
> keycloak installation (work as only a web service).
>
> Thanks
> Sam
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:51 p.m.
Wildfly or JBoss EAP 6.x or JBoss AS 7.1?
On 9/5/2014 11:49 AM, Red Samh wrote:
Bill,
Thanks for the reply.
Yes it works when I have to call REST to another REST service and any
number of hops. The problem is calling a full fledged application from
a REST service that I have the issue. When it is an application that is
both Web App + REST and I add the authorization header (bearer) I get an
unauthorized 401 (blackbox in the attachment).
Thanks
Sam
On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
Should work. You'll have to actually describe what your problem is or I
can't help you. I'll take a guess though:
Keycloak doesn't propagate the Authorization bearer token header
automatically when you have multiple REST "hops" between multiple
servers You'll have to obtain the access token and set up the HTTP
header manually. The demo customer-portal example in the distro does
exactly this, so take a look at that for more details.
On 9/5/2014 10:58 AM, Red Samh wrote:
> Hello,
>
> We have an application that is protected using Keycloak and a
user can
> access this application through a web front. After login the user can
> use the functionality of the application. The application is also
> exposed through REST API's and is protected via keycloak as part
of the
> application and accessible only after login into the main
application.
>
> We have a
>
> (Step 1) Javascript application (retrieving data from) ->
>
> (Step 2) Business Application exposed as REST API (REST API has
to make
> calls to backend Application mentioned above) ->
>
> (Step 3) BackEnd Application Server + REST API.
>
> Directly accessing the BackEnd Application Server works fine but
when we
> need to call the REST API from another REST service which is
> authenticated via Keycloak we have issues.
>
> We used the existing sample to try and do a POC but not sure what
is the
> best approach to solve this issue. The part from (Step 1) to (Step 2)
> works and the REST API is protected using BEARER token. The (Step
2) to
> (Step 3) is a problem as in (Step 2) we only have the BEARER
token and
> the BackEnd Application is protected using the full keycloak
> configuration. So The BackEnd Application service is not
authenticating
> by sending in only the BEARER token in the header which is a full
> keycloak installation (work as only a web service).
>
> Thanks
> Sam
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
5:59 p.m.
Eap 6.x, it would be nice if i could generalize to any war deployed to to
tomcat or jetty.
Thanks
Sam
On Sep 5, 2014 11:51 AM, "Bill Burke" <bburke(a)redhat.com> wrote:
Wildfly or JBoss EAP 6.x or JBoss AS 7.1?
On 9/5/2014 11:49 AM, Red Samh wrote:
> Bill,
>
> Thanks for the reply.
>
> Yes it works when I have to call REST to another REST service and any
> number of hops. The problem is calling a full fledged application from
> a REST service that I have the issue. When it is an application that is
> both Web App + REST and I add the authorization header (bearer) I get an
> unauthorized 401 (blackbox in the attachment).
>
> Thanks
> Sam
>
>
> On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke <bburke(a)redhat.com
> <mailto:bburke@redhat.com>> wrote:
>
> Should work. You'll have to actually describe what your problem is
> or I
> can't help you. I'll take a guess though:
>
> Keycloak doesn't propagate the Authorization bearer token header
> automatically when you have multiple REST "hops" between multiple
> servers You'll have to obtain the access token and set up the HTTP
> header manually. The demo customer-portal example in the distro does
> exactly this, so take a look at that for more details.
>
> On 9/5/2014 10:58 AM, Red Samh wrote:
> > Hello,
> >
> > We have an application that is protected using Keycloak and a
> user can
> > access this application through a web front. After login the user
> can
> > use the functionality of the application. The application is also
> > exposed through REST API's and is protected via keycloak as part
> of the
> > application and accessible only after login into the main
> application.
> >
> > We have a
> >
> > (Step 1) Javascript application (retrieving data from) ->
> >
> > (Step 2) Business Application exposed as REST API (REST API has
> to make
> > calls to backend Application mentioned above) ->
> >
> > (Step 3) BackEnd Application Server + REST API.
> >
> > Directly accessing the BackEnd Application Server works fine but
> when we
> > need to call the REST API from another REST service which is
> > authenticated via Keycloak we have issues.
> >
> > We used the existing sample to try and do a POC but not sure what
> is the
> > best approach to solve this issue. The part from (Step 1) to (Step
> 2)
> > works and the REST API is protected using BEARER token. The (Step
> 2) to
> > (Step 3) is a problem as in (Step 2) we only have the BEARER
> token and
> > the BackEnd Application is protected using the full keycloak
> > configuration. So The BackEnd Application service is not
> authenticating
> > by sending in only the BEARER token in the header which is a full
> > keycloak installation (work as only a web service).
> >
> > Thanks
> > Sam
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.
> jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
7:19 p.m.
A pure servlet filter is on the roadmap, but it wouldn't be as
seemlessly integrated. I'll take a look at your problem.
On 9/5/2014 11:59 AM, Red Samh wrote:
Eap 6.x, it would be nice if i could generalize to any war deployed to
to tomcat or jetty.
Thanks
Sam
On Sep 5, 2014 11:51 AM, "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
Wildfly or JBoss EAP 6.x or JBoss AS 7.1?
On 9/5/2014 11:49 AM, Red Samh wrote:
Bill,
Thanks for the reply.
Yes it works when I have to call REST to another REST service
and any
number of hops. The problem is calling a full fledged
application from
a REST service that I have the issue. When it is an application
that is
both Web App + REST and I add the authorization header (bearer)
I get an
unauthorized 401 (blackbox in the attachment).
Thanks
Sam
On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>
<mailto:bburke@redhat.com <mailto:bburke@redhat.com>>> wrote:
Should work. You'll have to actually describe what your
problem is or I
can't help you. I'll take a guess though:
Keycloak doesn't propagate the Authorization bearer token
header
automatically when you have multiple REST "hops" between
multiple
servers You'll have to obtain the access token and set up
the HTTP
header manually. The demo customer-portal example in the
distro does
exactly this, so take a look at that for more details.
On 9/5/2014 10:58 AM, Red Samh wrote:
> Hello,
>
> We have an application that is protected using Keycloak
and a
user can
> access this application through a web front. After login
the user can
> use the functionality of the application. The
application is also
> exposed through REST API's and is protected via keycloak
as part
of the
> application and accessible only after login into the main
application.
>
> We have a
>
> (Step 1) Javascript application (retrieving data from) ->
>
> (Step 2) Business Application exposed as REST API (REST
API has
to make
> calls to backend Application mentioned above) ->
>
> (Step 3) BackEnd Application Server + REST API.
>
> Directly accessing the BackEnd Application Server works
fine but
when we
> need to call the REST API from another REST service which is
> authenticated via Keycloak we have issues.
>
> We used the existing sample to try and do a POC but not
sure what
is the
> best approach to solve this issue. The part from (Step
1) to (Step 2)
> works and the REST API is protected using BEARER token.
The (Step
2) to
> (Step 3) is a problem as in (Step 2) we only have the BEARER
token and
> the BackEnd Application is protected using the full keycloak
> configuration. So The BackEnd Application service is not
authenticating
> by sending in only the BEARER token in the header which
is a full
> keycloak installation (work as only a web service).
>
> Thanks
> Sam
>
>
> _________________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
<mailto:keycloak-user@lists.__jboss.org
<mailto:keycloak-user@lists.jboss.org>>
> https://lists.jboss.org/__mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_________________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
<mailto:keycloak-user@lists.__jboss.org
<mailto:keycloak-user@lists.jboss.org>>
https://lists.jboss.org/__mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
7:31 p.m.
Thanks Bill, much appreciated. Is there something I can do in the interim
even if it is a hack?. I was looking at adapter code or even something I
can hardcode in the rest service to pull out the user information and make
the call to the back end application?
Thanks
Sam
On Sep 5, 2014 1:19 PM, "Bill Burke" <bburke(a)redhat.com> wrote:
A pure servlet filter is on the roadmap, but it wouldn't be as
seemlessly
integrated. I'll take a look at your problem.
On 9/5/2014 11:59 AM, Red Samh wrote:
>
> Eap 6.x, it would be nice if i could generalize to any war deployed to
> to tomcat or jetty.
>
> Thanks
> Sam
>
> On Sep 5, 2014 11:51 AM, "Bill Burke" <bburke(a)redhat.com
> <mailto:bburke@redhat.com>> wrote:
>
> Wildfly or JBoss EAP 6.x or JBoss AS 7.1?
>
>
> On 9/5/2014 11:49 AM, Red Samh wrote:
>
> Bill,
>
> Thanks for the reply.
>
> Yes it works when I have to call REST to another REST service
> and any
> number of hops. The problem is calling a full fledged
> application from
> a REST service that I have the issue. When it is an application
> that is
> both Web App + REST and I add the authorization header (bearer)
> I get an
> unauthorized 401 (blackbox in the attachment).
>
> Thanks
> Sam
>
>
> On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke <bburke(a)redhat.com
> <mailto:bburke@redhat.com>
> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>> wrote:
>
> Should work. You'll have to actually describe what your
> problem is or I
> can't help you. I'll take a guess though:
>
> Keycloak doesn't propagate the Authorization bearer token
> header
> automatically when you have multiple REST "hops" between
> multiple
> servers You'll have to obtain the access token and set up
> the HTTP
> header manually. The demo customer-portal example in the
> distro does
> exactly this, so take a look at that for more details.
>
> On 9/5/2014 10:58 AM, Red Samh wrote:
> > Hello,
> >
> > We have an application that is protected using Keycloak
> and a
> user can
> > access this application through a web front. After login
> the user can
> > use the functionality of the application. The
> application is also
> > exposed through REST API's and is protected via keycloak
> as part
> of the
> > application and accessible only after login into the main
> application.
> >
> > We have a
> >
> > (Step 1) Javascript application (retrieving data from) ->
> >
> > (Step 2) Business Application exposed as REST API (REST
> API has
> to make
> > calls to backend Application mentioned above) ->
> >
> > (Step 3) BackEnd Application Server + REST API.
> >
> > Directly accessing the BackEnd Application Server works
> fine but
> when we
> > need to call the REST API from another REST service which
> is
> > authenticated via Keycloak we have issues.
> >
> > We used the existing sample to try and do a POC but not
> sure what
> is the
> > best approach to solve this issue. The part from (Step
> 1) to (Step 2)
> > works and the REST API is protected using BEARER token.
> The (Step
> 2) to
> > (Step 3) is a problem as in (Step 2) we only have the
> BEARER
> token and
> > the BackEnd Application is protected using the full
> keycloak
> > configuration. So The BackEnd Application service is not
> authenticating
> > by sending in only the BEARER token in the header which
> is a full
> > keycloak installation (work as only a web service).
> >
> > Thanks
> > Sam
> >
> >
> > _________________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> <mailto:keycloak-user@lists.__jboss.org
> <mailto:keycloak-user@lists.jboss.org>>
> > https://lists.jboss.org/__mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _________________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> <mailto:keycloak-user@lists.__jboss.org
> <mailto:keycloak-user@lists.jboss.org>>
> https://lists.jboss.org/__mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8:41 p.m.
You're going to have to elaborate on your problem as I was unable to
reproduce it.
I took examples/preconfigured-demo/customer-app and added the database/
projects Java files to it. I was able to deploy this application and do
both web and bearer auth from the same war.
Are you using latest Keycloak? 1.0-rc2?
On 9/5/2014 1:31 PM, Red Samh wrote:
Thanks Bill, much appreciated. Is there something I can do in the
interim even if it is a hack?. I was looking at adapter code or even
something I can hardcode in the rest service to pull out the user
information and make the call to the back end application?
Thanks
Sam
On Sep 5, 2014 1:19 PM, "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
A pure servlet filter is on the roadmap, but it wouldn't be as
seemlessly integrated. I'll take a look at your problem.
On 9/5/2014 11:59 AM, Red Samh wrote:
Eap 6.x, it would be nice if i could generalize to any war
deployed to
to tomcat or jetty.
Thanks
Sam
On Sep 5, 2014 11:51 AM, "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>
<mailto:bburke@redhat.com <mailto:bburke@redhat.com>>> wrote:
Wildfly or JBoss EAP 6.x or JBoss AS 7.1?
On 9/5/2014 11:49 AM, Red Samh wrote:
Bill,
Thanks for the reply.
Yes it works when I have to call REST to another REST
service
and any
number of hops. The problem is calling a full fledged
application from
a REST service that I have the issue. When it is an
application
that is
both Web App + REST and I add the authorization header
(bearer)
I get an
unauthorized 401 (blackbox in the attachment).
Thanks
Sam
On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke
<bburke(a)redhat.com <mailto:bburke@redhat.com>
<mailto:bburke@redhat.com <mailto:bburke@redhat.com>>
<mailto:bburke@redhat.com <mailto:bburke@redhat.com>
<mailto:bburke@redhat.com <mailto:bburke@redhat.com>>>> wrote:
Should work. You'll have to actually describe
what your
problem is or I
can't help you. I'll take a guess though:
Keycloak doesn't propagate the Authorization
bearer token
header
automatically when you have multiple REST "hops"
between
multiple
servers You'll have to obtain the access token
and set up
the HTTP
header manually. The demo customer-portal example
in the
distro does
exactly this, so take a look at that for more details.
On 9/5/2014 10:58 AM, Red Samh wrote:
> Hello,
>
> We have an application that is protected using
Keycloak
and a
user can
> access this application through a web front.
After login
the user can
> use the functionality of the application. The
application is also
> exposed through REST API's and is protected via
keycloak
as part
of the
> application and accessible only after login
into the main
application.
>
> We have a
>
> (Step 1) Javascript application (retrieving
data from) ->
>
> (Step 2) Business Application exposed as REST
API (REST
API has
to make
> calls to backend Application mentioned above) ->
>
> (Step 3) BackEnd Application Server + REST API.
>
> Directly accessing the BackEnd Application
Server works
fine but
when we
> need to call the REST API from another REST
service which is
> authenticated via Keycloak we have issues.
>
> We used the existing sample to try and do a POC
but not
sure what
is the
> best approach to solve this issue. The part
from (Step
1) to (Step 2)
> works and the REST API is protected using
BEARER token.
The (Step
2) to
> (Step 3) is a problem as in (Step 2) we only
have the BEARER
token and
> the BackEnd Application is protected using the
full keycloak
> configuration. So The BackEnd Application
service is not
authenticating
> by sending in only the BEARER token in the
header which
is a full
> keycloak installation (work as only a web service).
>
> Thanks
> Sam
>
>
> ___________________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
<mailto:keycloak-user@lists.__jboss.org
<mailto:keycloak-user@lists.jboss.org>>
<mailto:keycloak-user@lists.
<mailto:keycloak-user@lists.>____jboss.org <http://jboss.org>
<mailto:keycloak-user@lists.__jboss.org
<mailto:keycloak-user@lists.jboss.org>>>
>
https://lists.jboss.org/____mailman/listinfo/keycloak-user
<https://lists.jboss.org/__mailman/listinfo/keycloak-user>
<https://lists.jboss.org/__mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
___________________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
<mailto:keycloak-user@lists.__jboss.org
<mailto:keycloak-user@lists.jboss.org>>
<mailto:keycloak-user@lists.
<mailto:keycloak-user@lists.>____jboss.org <http://jboss.org>
<mailto:keycloak-user@lists.__jboss.org
<mailto:keycloak-user@lists.jboss.org>>>
https://lists.jboss.org/____mailman/listinfo/keycloak-user
<https://lists.jboss.org/__mailman/listinfo/keycloak-user>
<https://lists.jboss.org/__mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:13 p.m.
Bill,
I am able to get the example to work and it is fine if I am calling REST
service to any other REST service (any number of hops). Does it work if you
try to access another web application (just submit a form, access content
or anything) that is authenticated by Keycloak or Are you able to make a
call from the REST Service to a web application that is configured with
Keycloak?
See attached explanation.
Thanks
Sam
On Fri, Sep 5, 2014 at 2:41 PM, Bill Burke <bburke(a)redhat.com> wrote:
You're going to have to elaborate on your problem as I was unable
to
reproduce it.
I took examples/preconfigured-demo/customer-app and added the database/
projects Java files to it. I was able to deploy this application and do
both web and bearer auth from the same war.
Are you using latest Keycloak? 1.0-rc2?
On 9/5/2014 1:31 PM, Red Samh wrote:
>
> Thanks Bill, much appreciated. Is there something I can do in the
> interim even if it is a hack?. I was looking at adapter code or even
> something I can hardcode in the rest service to pull out the user
> information and make the call to the back end application?
>
> Thanks
> Sam
>
> On Sep 5, 2014 1:19 PM, "Bill Burke" <bburke(a)redhat.com
> <mailto:bburke@redhat.com>> wrote:
>
> A pure servlet filter is on the roadmap, but it wouldn't be as
> seemlessly integrated. I'll take a look at your problem.
>
> On 9/5/2014 11:59 AM, Red Samh wrote:
>
>
> Eap 6.x, it would be nice if i could generalize to any war
> deployed to
> to tomcat or jetty.
>
> Thanks
> Sam
>
> On Sep 5, 2014 11:51 AM, "Bill Burke" <bburke(a)redhat.com
> <mailto:bburke@redhat.com>
> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>> wrote:
>
> Wildfly or JBoss EAP 6.x or JBoss AS 7.1?
>
>
> On 9/5/2014 11:49 AM, Red Samh wrote:
>
> Bill,
>
> Thanks for the reply.
>
> Yes it works when I have to call REST to another REST
> service
> and any
> number of hops. The problem is calling a full fledged
> application from
> a REST service that I have the issue. When it is an
> application
> that is
> both Web App + REST and I add the authorization header
> (bearer)
> I get an
> unauthorized 401 (blackbox in the attachment).
>
> Thanks
> Sam
>
>
> On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke
> <bburke(a)redhat.com <mailto:bburke@redhat.com>
> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>
> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>
> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>>>
wrote:
>
> Should work. You'll have to actually describe
> what your
> problem is or I
> can't help you. I'll take a guess though:
>
> Keycloak doesn't propagate the Authorization
> bearer token
> header
> automatically when you have multiple REST "hops"
> between
> multiple
> servers You'll have to obtain the access token
> and set up
> the HTTP
> header manually. The demo customer-portal example
> in the
> distro does
> exactly this, so take a look at that for more
> details.
>
> On 9/5/2014 10:58 AM, Red Samh wrote:
> > Hello,
> >
> > We have an application that is protected using
> Keycloak
> and a
> user can
> > access this application through a web front.
> After login
> the user can
> > use the functionality of the application. The
> application is also
> > exposed through REST API's and is protected via
> keycloak
> as part
> of the
> > application and accessible only after login
> into the main
> application.
> >
> > We have a
> >
> > (Step 1) Javascript application (retrieving
> data from) ->
> >
> > (Step 2) Business Application exposed as REST
> API (REST
> API has
> to make
> > calls to backend Application mentioned above) ->
> >
> > (Step 3) BackEnd Application Server + REST API.
> >
> > Directly accessing the BackEnd Application
> Server works
> fine but
> when we
> > need to call the REST API from another REST
> service which is
> > authenticated via Keycloak we have issues.
> >
> > We used the existing sample to try and do a POC
> but not
> sure what
> is the
> > best approach to solve this issue. The part
> from (Step
> 1) to (Step 2)
> > works and the REST API is protected using
> BEARER token.
> The (Step
> 2) to
> > (Step 3) is a problem as in (Step 2) we only
> have the BEARER
> token and
> > the BackEnd Application is protected using the
> full keycloak
> > configuration. So The BackEnd Application
> service is not
> authenticating
> > by sending in only the BEARER token in the
> header which
> is a full
> > keycloak installation (work as only a web
> service).
> >
> > Thanks
> > Sam
> >
> >
> > ______________________________
> _____________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> <mailto:keycloak-user@lists.__jboss.org
> <mailto:keycloak-user@lists.jboss.org>>
> <mailto:keycloak-user@lists.
> <mailto:keycloak-user@lists.>____jboss.org <http://jboss.org>
> <mailto:keycloak-user@lists.__jboss.org
> <mailto:keycloak-user@lists.jboss.org>>>
> >
> https://lists.jboss.org/____mailman/listinfo/keycloak-user
> <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>
> <https://lists.jboss.org/__mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> ___________________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.
> jboss.org>
> <mailto:keycloak-user@lists.__jboss.org
> <mailto:keycloak-user@lists.jboss.org>>
> <mailto:keycloak-user@lists.
> <mailto:keycloak-user@lists.>____jboss.org <http://jboss.org>
> <mailto:keycloak-user@lists.__jboss.org
> <mailto:keycloak-user@lists.jboss.org>>>
> https://lists.jboss.org/____mailman/listinfo/keycloak-user
> <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>
> <https://lists.jboss.org/__mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:23 p.m.
Bill,
I have rc1 and not rc2, let me check if it works in the newer version. It
may be the version.
Thanks
Sam
On Fri, Sep 5, 2014 at 3:13 PM, Red Samh <redsamh(a)gmail.com> wrote:
Bill,
I am able to get the example to work and it is fine if I am calling REST
service to any other REST service (any number of hops). Does it work if you
try to access another web application (just submit a form, access content
or anything) that is authenticated by Keycloak or Are you able to make a
call from the REST Service to a web application that is configured with
Keycloak?
See attached explanation.
Thanks
Sam
On Fri, Sep 5, 2014 at 2:41 PM, Bill Burke <bburke(a)redhat.com> wrote:
> You're going to have to elaborate on your problem as I was unable to
> reproduce it.
>
> I took examples/preconfigured-demo/customer-app and added the database/
> projects Java files to it. I was able to deploy this application and do
> both web and bearer auth from the same war.
>
> Are you using latest Keycloak? 1.0-rc2?
>
> On 9/5/2014 1:31 PM, Red Samh wrote:
>
>>
>> Thanks Bill, much appreciated. Is there something I can do in the
>> interim even if it is a hack?. I was looking at adapter code or even
>> something I can hardcode in the rest service to pull out the user
>> information and make the call to the back end application?
>>
>> Thanks
>> Sam
>>
>> On Sep 5, 2014 1:19 PM, "Bill Burke" <bburke(a)redhat.com
>> <mailto:bburke@redhat.com>> wrote:
>>
>> A pure servlet filter is on the roadmap, but it wouldn't be as
>> seemlessly integrated. I'll take a look at your problem.
>>
>> On 9/5/2014 11:59 AM, Red Samh wrote:
>>
>>
>> Eap 6.x, it would be nice if i could generalize to any war
>> deployed to
>> to tomcat or jetty.
>>
>> Thanks
>> Sam
>>
>> On Sep 5, 2014 11:51 AM, "Bill Burke" <bburke(a)redhat.com
>> <mailto:bburke@redhat.com>
>> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>>
wrote:
>>
>> Wildfly or JBoss EAP 6.x or JBoss AS 7.1?
>>
>>
>> On 9/5/2014 11:49 AM, Red Samh wrote:
>>
>> Bill,
>>
>> Thanks for the reply.
>>
>> Yes it works when I have to call REST to another REST
>> service
>> and any
>> number of hops. The problem is calling a full fledged
>> application from
>> a REST service that I have the issue. When it is an
>> application
>> that is
>> both Web App + REST and I add the authorization header
>> (bearer)
>> I get an
>> unauthorized 401 (blackbox in the attachment).
>>
>> Thanks
>> Sam
>>
>>
>> On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke
>> <bburke(a)redhat.com <mailto:bburke@redhat.com>
>> <mailto:bburke@redhat.com
<mailto:bburke@redhat.com>>
>> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>
>> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>>>
wrote:
>>
>> Should work. You'll have to actually describe
>> what your
>> problem is or I
>> can't help you. I'll take a guess though:
>>
>> Keycloak doesn't propagate the Authorization
>> bearer token
>> header
>> automatically when you have multiple REST "hops"
>> between
>> multiple
>> servers You'll have to obtain the access token
>> and set up
>> the HTTP
>> header manually. The demo customer-portal example
>> in the
>> distro does
>> exactly this, so take a look at that for more
>> details.
>>
>> On 9/5/2014 10:58 AM, Red Samh wrote:
>> > Hello,
>> >
>> > We have an application that is protected using
>> Keycloak
>> and a
>> user can
>> > access this application through a web front.
>> After login
>> the user can
>> > use the functionality of the application. The
>> application is also
>> > exposed through REST API's and is protected via
>> keycloak
>> as part
>> of the
>> > application and accessible only after login
>> into the main
>> application.
>> >
>> > We have a
>> >
>> > (Step 1) Javascript application (retrieving
>> data from) ->
>> >
>> > (Step 2) Business Application exposed as REST
>> API (REST
>> API has
>> to make
>> > calls to backend Application mentioned above) ->
>> >
>> > (Step 3) BackEnd Application Server + REST API.
>> >
>> > Directly accessing the BackEnd Application
>> Server works
>> fine but
>> when we
>> > need to call the REST API from another REST
>> service which is
>> > authenticated via Keycloak we have issues.
>> >
>> > We used the existing sample to try and do a POC
>> but not
>> sure what
>> is the
>> > best approach to solve this issue. The part
>> from (Step
>> 1) to (Step 2)
>> > works and the REST API is protected using
>> BEARER token.
>> The (Step
>> 2) to
>> > (Step 3) is a problem as in (Step 2) we only
>> have the BEARER
>> token and
>> > the BackEnd Application is protected using the
>> full keycloak
>> > configuration. So The BackEnd Application
>> service is not
>> authenticating
>> > by sending in only the BEARER token in the
>> header which
>> is a full
>> > keycloak installation (work as only a web
>> service).
>> >
>> > Thanks
>> > Sam
>> >
>> >
>> > ______________________________
>> _____________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> <mailto:keycloak-user@lists.__jboss.org
>> <mailto:keycloak-user@lists.jboss.org>>
>> <mailto:keycloak-user@lists.
>> <mailto:keycloak-user@lists.>____jboss.org
<http://jboss.org>
>> <mailto:keycloak-user@lists.__jboss.org
>> <mailto:keycloak-user@lists.jboss.org>>>
>> >
>> https://lists.jboss.org/____mailman/listinfo/keycloak-user
>> <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>>
>> <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
>> >
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> ______________________________
>> _____________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.
>> jboss.org>
>> <mailto:keycloak-user@lists.__jboss.org
>> <mailto:keycloak-user@lists.jboss.org>>
>> <mailto:keycloak-user@lists.
>> <mailto:keycloak-user@lists.>____jboss.org
<http://jboss.org>
>> <mailto:keycloak-user@lists.__jboss.org
>> <mailto:keycloak-user@lists.jboss.org>>>
>> https://lists.jboss.org/____mailman/listinfo/keycloak-user
>> <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>>
>> <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
>>
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
9:35 p.m.
I doubt the version is the problem.
On 9/5/2014 3:23 PM, Red Samh wrote:
Bill,
I have rc1 and not rc2, let me check if it works in the newer version.
It may be the version.
Thanks
Sam
On Fri, Sep 5, 2014 at 3:13 PM, Red Samh <redsamh(a)gmail.com
<mailto:redsamh@gmail.com>> wrote:
Bill,
I am able to get the example to work and it is fine if I am calling
REST service to any other REST service (any number of hops). Does it
work if you try to access another web application (just submit a
form, access content or anything) that is authenticated by Keycloak
or Are you able to make a call from the REST Service to a web
application that is configured with Keycloak?
See attached explanation.
Thanks
Sam
On Fri, Sep 5, 2014 at 2:41 PM, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
You're going to have to elaborate on your problem as I was
unable to reproduce it.
I took examples/preconfigured-demo/__customer-app and added the
database/ projects Java files to it. I was able to deploy this
application and do both web and bearer auth from the same war.
Are you using latest Keycloak? 1.0-rc2?
On 9/5/2014 1:31 PM, Red Samh wrote:
Thanks Bill, much appreciated. Is there something I can do
in the
interim even if it is a hack?. I was looking at adapter code
or even
something I can hardcode in the rest service to pull out the
user
information and make the call to the back end application?
Thanks
Sam
On Sep 5, 2014 1:19 PM, "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>
<mailto:bburke@redhat.com <mailto:bburke@redhat.com>>> wrote:
A pure servlet filter is on the roadmap, but it
wouldn't be as
seemlessly integrated. I'll take a look at your problem.
On 9/5/2014 11:59 AM, Red Samh wrote:
Eap 6.x, it would be nice if i could generalize to
any war
deployed to
to tomcat or jetty.
Thanks
Sam
On Sep 5, 2014 11:51 AM, "Bill Burke"
<bburke(a)redhat.com <mailto:bburke@redhat.com>
<mailto:bburke@redhat.com <mailto:bburke@redhat.com>>
<mailto:bburke@redhat.com
<mailto:bburke@redhat.com> <mailto:bburke@redhat.com
<mailto:bburke@redhat.com>>>> wrote:
Wildfly or JBoss EAP 6.x or JBoss AS 7.1?
On 9/5/2014 11:49 AM, Red Samh wrote:
Bill,
Thanks for the reply.
Yes it works when I have to call REST to
another REST
service
and any
number of hops. The problem is calling a
full fledged
application from
a REST service that I have the issue. When
it is an
application
that is
both Web App + REST and I add the
authorization header
(bearer)
I get an
unauthorized 401 (blackbox in the attachment).
Thanks
Sam
On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke
<bburke(a)redhat.com <mailto:bburke@redhat.com>
<mailto:bburke@redhat.com <mailto:bburke@redhat.com>>
<mailto:bburke@redhat.com
<mailto:bburke@redhat.com> <mailto:bburke@redhat.com
<mailto:bburke@redhat.com>>>
<mailto:bburke@redhat.com
<mailto:bburke@redhat.com> <mailto:bburke@redhat.com
<mailto:bburke@redhat.com>>
<mailto:bburke@redhat.com
<mailto:bburke@redhat.com> <mailto:bburke@redhat.com
<mailto:bburke@redhat.com>>>>> wrote:
Should work. You'll have to actually
describe
what your
problem is or I
can't help you. I'll take a guess
though:
Keycloak doesn't propagate the
Authorization
bearer token
header
automatically when you have multiple
REST "hops"
between
multiple
servers You'll have to obtain the
access token
and set up
the HTTP
header manually. The demo
customer-portal example
in the
distro does
exactly this, so take a look at that
for more details.
On 9/5/2014 10:58 AM, Red Samh wrote:
> Hello,
>
> We have an application that is
protected using
Keycloak
and a
user can
> access this application through a
web front.
After login
the user can
> use the functionality of the
application. The
application is also
> exposed through REST API's and is
protected via
keycloak
as part
of the
> application and accessible only
after login
into the main
application.
>
> We have a
>
> (Step 1) Javascript application
(retrieving
data from) ->
>
> (Step 2) Business Application
exposed as REST
API (REST
API has
to make
> calls to backend Application
mentioned above) ->
>
> (Step 3) BackEnd Application
Server + REST API.
>
> Directly accessing the BackEnd
Application
Server works
fine but
when we
> need to call the REST API from
another REST
service which is
> authenticated via Keycloak we have
issues.
>
> We used the existing sample to try
and do a POC
but not
sure what
is the
> best approach to solve this issue.
The part
from (Step
1) to (Step 2)
> works and the REST API is
protected using
BEARER token.
The (Step
2) to
> (Step 3) is a problem as in (Step
2) we only
have the BEARER
token and
> the BackEnd Application is
protected using the
full keycloak
> configuration. So The BackEnd
Application
service is not
authenticating
> by sending in only the BEARER
token in the
header which
is a full
> keycloak installation (work as
only a web service).
>
> Thanks
> Sam
>
>
>
_____________________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
<mailto:keycloak-user@lists.__jboss.org
<mailto:keycloak-user@lists.jboss.org>>
<mailto:keycloak-user@lists.
<mailto:keycloak-user@lists.>____jboss.org <http://jboss.org>
<mailto:keycloak-user@lists.__jboss.org
<mailto:keycloak-user@lists.jboss.org>>>
<mailto:keycloak-user@lists
<mailto:keycloak-user@lists>.
<mailto:keycloak-user@lists
<mailto:keycloak-user@lists>.>______jboss.org
<http://jboss.org> <http://jboss.org>
<mailto:keycloak-user@lists.
<mailto:keycloak-user@lists.>____jboss.org <http://jboss.org>
<mailto:keycloak-user@lists.__jboss.org
<mailto:keycloak-user@lists.jboss.org>>>>
>
https://lists.jboss.org/______mailman/listinfo/keycloak-user
<https://lists.jboss.org/____mailman/listinfo/keycloak-user>
<https://lists.jboss.org/____mailman/listinfo/keycloak-user
<https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>
<https://lists.jboss.org/____mailman/listinfo/keycloak-user
<https://lists.jboss.org/__mailman/listinfo/keycloak-user>
<https://lists.jboss.org/__mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>__>__>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_____________________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
<mailto:keycloak-user@lists.__jboss.org
<mailto:keycloak-user@lists.jboss.org>>
<mailto:keycloak-user@lists.
<mailto:keycloak-user@lists.>____jboss.org <http://jboss.org>
<mailto:keycloak-user@lists.__jboss.org
<mailto:keycloak-user@lists.jboss.org>>>
<mailto:keycloak-user@lists
<mailto:keycloak-user@lists>.
<mailto:keycloak-user@lists
<mailto:keycloak-user@lists>.>______jboss.org
<http://jboss.org> <http://jboss.org>
<mailto:keycloak-user@lists.
<mailto:keycloak-user@lists.>____jboss.org <http://jboss.org>
<mailto:keycloak-user@lists.__jboss.org
<mailto:keycloak-user@lists.jboss.org>>>>
https://lists.jboss.org/______mailman/listinfo/keycloak-user
<https://lists.jboss.org/____mailman/listinfo/keycloak-user>
<https://lists.jboss.org/____mailman/listinfo/keycloak-user
<https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>
<https://lists.jboss.org/____mailman/listinfo/keycloak-user
<https://lists.jboss.org/__mailman/listinfo/keycloak-user>
<https://lists.jboss.org/__mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>__>__>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
4:09 p.m.
Bill,
I redid everything and it is working now. Thanks :).
Thanks
Sam
On Fri, Sep 5, 2014 at 3:35 PM, Bill Burke <bburke(a)redhat.com> wrote:
I doubt the version is the problem.
On 9/5/2014 3:23 PM, Red Samh wrote:
> Bill,
>
> I have rc1 and not rc2, let me check if it works in the newer version.
> It may be the version.
>
> Thanks
> Sam
>
>
> On Fri, Sep 5, 2014 at 3:13 PM, Red Samh <redsamh(a)gmail.com
> <mailto:redsamh@gmail.com>> wrote:
>
> Bill,
>
> I am able to get the example to work and it is fine if I am calling
> REST service to any other REST service (any number of hops). Does it
> work if you try to access another web application (just submit a
> form, access content or anything) that is authenticated by Keycloak
> or Are you able to make a call from the REST Service to a web
> application that is configured with Keycloak?
>
> See attached explanation.
>
> Thanks
> Sam
>
>
> On Fri, Sep 5, 2014 at 2:41 PM, Bill Burke <bburke(a)redhat.com
> <mailto:bburke@redhat.com>> wrote:
>
> You're going to have to elaborate on your problem as I was
> unable to reproduce it.
>
> I took examples/preconfigured-demo/__customer-app and added the
> database/ projects Java files to it. I was able to deploy this
> application and do both web and bearer auth from the same war.
>
> Are you using latest Keycloak? 1.0-rc2?
>
> On 9/5/2014 1:31 PM, Red Samh wrote:
>
>
> Thanks Bill, much appreciated. Is there something I can do
> in the
> interim even if it is a hack?. I was looking at adapter code
> or even
> something I can hardcode in the rest service to pull out the
> user
> information and make the call to the back end application?
>
> Thanks
> Sam
>
> On Sep 5, 2014 1:19 PM, "Bill Burke" <bburke(a)redhat.com
> <mailto:bburke@redhat.com>
> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>>
wrote:
>
> A pure servlet filter is on the roadmap, but it
> wouldn't be as
> seemlessly integrated. I'll take a look at your problem.
>
> On 9/5/2014 11:59 AM, Red Samh wrote:
>
>
> Eap 6.x, it would be nice if i could generalize to
> any war
> deployed to
> to tomcat or jetty.
>
> Thanks
> Sam
>
> On Sep 5, 2014 11:51 AM, "Bill Burke"
> <bburke(a)redhat.com <mailto:bburke@redhat.com>
> <mailto:bburke@redhat.com <mailto:bburke@redhat.com
> >>
> <mailto:bburke@redhat.com
> <mailto:bburke@redhat.com> <mailto:bburke@redhat.com
> <mailto:bburke@redhat.com>>>> wrote:
>
> Wildfly or JBoss EAP 6.x or JBoss AS 7.1?
>
>
> On 9/5/2014 11:49 AM, Red Samh wrote:
>
> Bill,
>
> Thanks for the reply.
>
> Yes it works when I have to call REST to
> another REST
> service
> and any
> number of hops. The problem is calling a
> full fledged
> application from
> a REST service that I have the issue. When
> it is an
> application
> that is
> both Web App + REST and I add the
> authorization header
> (bearer)
> I get an
> unauthorized 401 (blackbox in the
> attachment).
>
> Thanks
> Sam
>
>
> On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke
> <bburke(a)redhat.com <mailto:bburke@redhat.com>
> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>
> <mailto:bburke@redhat.com
> <mailto:bburke@redhat.com> <mailto:bburke@redhat.com
> <mailto:bburke@redhat.com>>>
> <mailto:bburke@redhat.com
> <mailto:bburke@redhat.com> <mailto:bburke@redhat.com
> <mailto:bburke@redhat.com>>
> <mailto:bburke@redhat.com
> <mailto:bburke@redhat.com> <mailto:bburke@redhat.com
> <mailto:bburke@redhat.com>>>>> wrote:
>
> Should work. You'll have to actually
> describe
> what your
> problem is or I
> can't help you. I'll take a guess
> though:
>
> Keycloak doesn't propagate the
> Authorization
> bearer token
> header
> automatically when you have multiple
> REST "hops"
> between
> multiple
> servers You'll have to obtain the
> access token
> and set up
> the HTTP
> header manually. The demo
> customer-portal example
> in the
> distro does
> exactly this, so take a look at that
> for more details.
>
> On 9/5/2014 10:58 AM, Red Samh wrote:
> > Hello,
> >
> > We have an application that is
> protected using
> Keycloak
> and a
> user can
> > access this application through a
> web front.
> After login
> the user can
> > use the functionality of the
> application. The
> application is also
> > exposed through REST API's and is
> protected via
> keycloak
> as part
> of the
> > application and accessible only
> after login
> into the main
> application.
> >
> > We have a
> >
> > (Step 1) Javascript application
> (retrieving
> data from) ->
> >
> > (Step 2) Business Application
> exposed as REST
> API (REST
> API has
> to make
> > calls to backend Application
> mentioned above) ->
> >
> > (Step 3) BackEnd Application
> Server + REST API.
> >
> > Directly accessing the BackEnd
> Application
> Server works
> fine but
> when we
> > need to call the REST API from
> another REST
> service which is
> > authenticated via Keycloak we have
> issues.
> >
> > We used the existing sample to try
> and do a POC
> but not
> sure what
> is the
> > best approach to solve this issue.
> The part
> from (Step
> 1) to (Step 2)
> > works and the REST API is
> protected using
> BEARER token.
> The (Step
> 2) to
> > (Step 3) is a problem as in (Step
> 2) we only
> have the BEARER
> token and
> > the BackEnd Application is
> protected using the
> full keycloak
> > configuration. So The BackEnd
> Application
> service is not
> authenticating
> > by sending in only the BEARER
> token in the
> header which
> is a full
> > keycloak installation (work as
> only a web service).
> >
> > Thanks
> > Sam
> >
> >
> >
> _____________________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> <mailto:keycloak-user@lists.__jboss.org
> <mailto:keycloak-user@lists.jboss.org>>
> <mailto:keycloak-user@lists.
> <mailto:keycloak-user@lists.>____jboss.org
<http://jboss.org>
> <mailto:keycloak-user@lists.__jboss.org
> <mailto:keycloak-user@lists.jboss.org>>>
> <mailto:keycloak-user@lists
> <mailto:keycloak-user@lists>.
> <mailto:keycloak-user@lists
> <mailto:keycloak-user@lists>.>______jboss.org
> <http://jboss.org> <http://jboss.org>
> <mailto:keycloak-user@lists.
> <mailto:keycloak-user@lists.>____jboss.org
<http://jboss.org>
> <mailto:keycloak-user@lists.__jboss.org
> <mailto:keycloak-user@lists.jboss.org>>>>
> >
> https://lists.jboss.org/______mailman/listinfo/keycloak-user
> <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>
> <https://lists.jboss.org/____mailman/listinfo/keycloak-user
> <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>
>
>
> <https://lists.jboss.org/____mailman/listinfo/keycloak-user
> <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>
> <https://lists.jboss.org/__mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user
> >__>__>
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
> _____________________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> <mailto:keycloak-user@lists.__jboss.org
> <mailto:keycloak-user@lists.jboss.org>>
> <mailto:keycloak-user@lists.
> <mailto:keycloak-user@lists.>____jboss.org
<http://jboss.org>
> <mailto:keycloak-user@lists.__jboss.org
> <mailto:keycloak-user@lists.jboss.org>>>
> <mailto:keycloak-user@lists
> <mailto:keycloak-user@lists>.
> <mailto:keycloak-user@lists
> <mailto:keycloak-user@lists>.>______jboss.org
> <http://jboss.org> <http://jboss.org>
> <mailto:keycloak-user@lists.
> <mailto:keycloak-user@lists.>____jboss.org
<http://jboss.org>
> <mailto:keycloak-user@lists.__jboss.org
> <mailto:keycloak-user@lists.jboss.org>>>>
> https://lists.jboss.org/______mailman/listinfo/keycloak-user
> <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>
> <https://lists.jboss.org/____mailman/listinfo/keycloak-user
> <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>
>
>
> <https://lists.jboss.org/____mailman/listinfo/keycloak-user
> <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>
> <https://lists.jboss.org/__mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user
> >__>__>
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3792
days inactive
3795
days old
11 comments
2 participants
participants (2)
-
Bill Burke -
Red Samh