Best way to get subject without adding it as request parameter in cross domain back end REST service
1:59 p.m.
I am able to use a bearer token to call a java REST service from a pure
javascript client. Unfortunately the KeycloakSecurityContext is
essentially empty on the back end. I need to filter and update data by
subject (idToken.subject) Initially I setup my back end REST application
as a bearer token only application; thinking that was the problem, I
switched to a confidential back end application but the
KeycloakSecurityContext is still not populated. In order to communicate
with the service in a cross domain way, I still need to send a bearer
token, regardless of the type of application. I can get the subject in
javascript and add it to the list of request parameters, however, it seems
that leaves me open to anyone with a valid token being able to request
another user's data. What is the best way to handle this kind of situation
using Keycloak?
1:07 p.m.
Ok I found the answer by reading the question just above mine: "Obtaining
the username from the security context". I did not realize that
session.getToken() contained the information I need. I was checking in
session.getIdToken().
On Thu, Dec 18, 2014 at 1:59 PM, Dean Peterson <peterson.dean(a)gmail.com>
wrote:
I am able to use a bearer token to call a java REST service from a
pure
javascript client. Unfortunately the KeycloakSecurityContext is
essentially empty on the back end. I need to filter and update data by
subject (idToken.subject) Initially I setup my back end REST application
as a bearer token only application; thinking that was the problem, I
switched to a confidential back end application but the
KeycloakSecurityContext is still not populated. In order to communicate
with the service in a cross domain way, I still need to send a bearer
token, regardless of the type of application. I can get the subject in
javascript and add it to the list of request parameters, however, it seems
that leaves me open to anyone with a valid token being able to request
another user's data. What is the best way to handle this kind of situation
using Keycloak?
4:05 p.m.
Actually, I see it's session.getToken().getSubject();
On Fri, Dec 19, 2014 at 1:07 PM, Dean Peterson <peterson.dean(a)gmail.com>
wrote:
Ok I found the answer by reading the question just above mine:
"Obtaining
the username from the security context". I did not realize that
session.getToken() contained the information I need. I was checking in
session.getIdToken().
On Thu, Dec 18, 2014 at 1:59 PM, Dean Peterson <peterson.dean(a)gmail.com>
wrote:
> I am able to use a bearer token to call a java REST service from a pure
> javascript client. Unfortunately the KeycloakSecurityContext is
> essentially empty on the back end. I need to filter and update data by
> subject (idToken.subject) Initially I setup my back end REST application
> as a bearer token only application; thinking that was the problem, I
> switched to a confidential back end application but the
> KeycloakSecurityContext is still not populated. In order to communicate
> with the service in a cross domain way, I still need to send a bearer
> token, regardless of the type of application. I can get the subject in
> javascript and add it to the list of request parameters, however, it seems
> that leaves me open to anyone with a valid token being able to request
> another user's data. What is the best way to handle this kind of situation
> using Keycloak?
>
9:25 a.m.
So, with Bearer token auth, the KeycloakSecurityContext is null? Or it
doesn't have any information?
On 12/18/2014 2:59 PM, Dean Peterson wrote:
I am able to use a bearer token to call a java REST service from a
pure
javascript client. Unfortunately the KeycloakSecurityContext is
essentially empty on the back end. I need to filter and update data by
subject (idToken.subject) Initially I setup my back end REST
application as a bearer token only application; thinking that was the
problem, I switched to a confidential back end application but the
KeycloakSecurityContext is still not populated. In order to communicate
with the service in a cross domain way, I still need to send a bearer
token, regardless of the type of application. I can get the subject in
javascript and add it to the list of request parameters, however, it
seems that leaves me open to anyone with a valid token being able to
request another user's data. What is the best way to handle this kind
of situation using Keycloak?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3669
days inactive
3673
days old
3 comments
2 participants
participants (2)
-
Bill Burke -
Dean Peterson