On 8 January 2016 at 08:22, Tim Dudgeon <tdudgeon.ml(a)gmail.com> wrote:
So if I understand correctly, if the REST service is running in (for
instance) Tomcat, then I can use the standard Tomcat adapter to protect it,
but use:
"bearer-only" : true
as part of the configuration, as described here:
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#a...
Yes
Also, regarding those options, its not clear to me what public-client
means. Does that mean that there is no authentication at all? e.g. bypass
keycloak completely?
Public is for "public" clients. For example HTML5 applications. They can't
use a secret to authenticate the client (as the secret would be publicly
available in either case) so they rely on redirect-uri instead.
Tim
On 06/01/2016 08:23, Stian Thorgersen wrote:
The rest service doesn't check what client obtained the token only the
realm/signature and that it contains the required roles.
On 5 Jan 2016 10:20, "Tim Dudgeon" < <tdudgeon.ml(a)gmail.com>
tdudgeon.ml(a)gmail.com> wrote:
> On 05/01/2016 07:36, Stian Thorgersen wrote:
>
>
>
> On 1 January 2016 at 11:52, Tim Dudgeon < <tdudgeon.ml(a)gmail.com>
> tdudgeon.ml(a)gmail.com> wrote:
>
>> The user docs (
>>
http://keycloak.github.io/docs/userguide/keycloak-server/html/Overview.ht...)
>> describe exactly what I'm looking for:
>>
>> Signed access tokens can also be propagated by REST client requests
>> within an Authorization header. This is great for distributed
>> integration as applications can request a login from a client to obtain an
>> access token, then invoke any aggregated REST invocations to other services
>> using that access token.
>>
>> I have a web app (in Tomcat) that uses the Keycloak adapter for user
>> authentication.
>> This web app needs to access a REST service, running in a different
>> Tomcat container and I want the REST service to use the same user
>> authentication, but I'm not totally sure about how to go about this.
>> Do I just grab the keycloak token in the header in the web app and add
>> that as a header when calling the REST service, and set the REST service up
>> to use the same Keycloak adapter configuration as the web app?
>>
>
> You could or you can get the token from the adapter. Take a look at:
>
>
>
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/c...
>
> Thanks. That's useful.
>
>
>
>>
>> What if I want to have other ways to authenticate the REST service (e.g.
>> access from multiple clients)?
>>
>
> Not sure what you mean about this
>
>
> For example, lets assume we have 2 apps, authenticating against the same
> Keycloak realm, but as separate clients.
> Both hit the same REST service and pass through their token to that
> service.
> How is the REST service to authenticate the requests?
> All it really needs to to is check that the tokens are valid and come
> from the expected (keycloak) source, even though the tokens were generated
> for different clients.
> Is there an adapter that handles this?
>
> Tim
>
>
>
>>
>>
>> Tim
>>
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>