4:22 p.m.
So if I understand correctly, if the REST service is running in (for
instance) Tomcat, then I can use the standard Tomcat adapter to protect
it, but use:
"bearer-only" : true
as part of the configuration, as described here:
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#a...
Also, regarding those options, its not clear to me what public-client
means. Does that mean that there is no authentication at all? e.g.
bypass keycloak completely?
Tim
On 06/01/2016 08:23, Stian Thorgersen wrote:
The rest service doesn't check what client obtained the token only the
realm/signature and that it contains the required roles.
On 5 Jan 2016 10:20, "Tim Dudgeon" <tdudgeon.ml(a)gmail.com
<mailto:tdudgeon.ml@gmail.com>> wrote:
On 05/01/2016 07:36, Stian Thorgersen wrote:
>
>
> On 1 January 2016 at 11:52, Tim Dudgeon <tdudgeon.ml(a)gmail.com
> <mailto:tdudgeon.ml@gmail.com>> wrote:
>
> The user docs
>
(http://keycloak.github.io/docs/userguide/keycloak-server/html/Overview.ht...)
> describe exactly what I'm looking for:
>> Signed access tokens can also be propagated by REST client
>> requests within an|Authorization|header. This is great for
>> distributed integration as applications can request a login
>> from a client to obtain an access token, then invoke any
>> aggregated REST invocations to other services using that
>> access token.
> I have a web app (in Tomcat) that uses the Keycloak adapter
> for user authentication.
> This web app needs to access a REST service, running in a
> different Tomcat container and I want the REST service to
> use the same user authentication, but I'm not totally sure
> about how to go about this.
> Do I just grab the keycloak token in the header in the web
> app and add that as a header when calling the REST service,
> and set the REST service up to use the same Keycloak adapter
> configuration as the web app?
>
>
> You could or you can get the token from the adapter. Take a look at:
>
>
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/c...
Thanks. That's useful.
>
> What if I want to have other ways to authenticate the REST
> service (e.g. access from multiple clients)?
>
>
> Not sure what you mean about this
For example, lets assume we have 2 apps, authenticating against
the same Keycloak realm, but as separate clients.
Both hit the same REST service and pass through their token to
that service.
How is the REST service to authenticate the requests?
All it really needs to to is check that the tokens are valid and
come from the expected (keycloak) source, even though the tokens
were generated for different clients.
Is there an adapter that handles this?
Tim
>
>
>
> Tim
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:47 a.m.
New subject: propagating authentication to REST layer
On 8 January 2016 at 08:22, Tim Dudgeon <tdudgeon.ml(a)gmail.com> wrote:
So if I understand correctly, if the REST service is running in (for
instance) Tomcat, then I can use the standard Tomcat adapter to protect it,
but use:
"bearer-only" : true
as part of the configuration, as described here:
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#a...
Yes
Also, regarding those options, its not clear to me what public-client
means. Does that mean that there is no authentication at all? e.g. bypass
keycloak completely?
Public is for "public" clients. For example HTML5 applications. They can't
use a secret to authenticate the client (as the secret would be publicly
available in either case) so they rely on redirect-uri instead.
Tim
On 06/01/2016 08:23, Stian Thorgersen wrote:
The rest service doesn't check what client obtained the token only the
realm/signature and that it contains the required roles.
On 5 Jan 2016 10:20, "Tim Dudgeon" < <tdudgeon.ml(a)gmail.com>
tdudgeon.ml(a)gmail.com> wrote:
> On 05/01/2016 07:36, Stian Thorgersen wrote:
>
>
>
> On 1 January 2016 at 11:52, Tim Dudgeon < <tdudgeon.ml(a)gmail.com>
> tdudgeon.ml(a)gmail.com> wrote:
>
>> The user docs (
>>
http://keycloak.github.io/docs/userguide/keycloak-server/html/Overview.ht...)
>> describe exactly what I'm looking for:
>>
>> Signed access tokens can also be propagated by REST client requests
>> within an Authorization header. This is great for distributed
>> integration as applications can request a login from a client to obtain an
>> access token, then invoke any aggregated REST invocations to other services
>> using that access token.
>>
>> I have a web app (in Tomcat) that uses the Keycloak adapter for user
>> authentication.
>> This web app needs to access a REST service, running in a different
>> Tomcat container and I want the REST service to use the same user
>> authentication, but I'm not totally sure about how to go about this.
>> Do I just grab the keycloak token in the header in the web app and add
>> that as a header when calling the REST service, and set the REST service up
>> to use the same Keycloak adapter configuration as the web app?
>>
>
> You could or you can get the token from the adapter. Take a look at:
>
>
>
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/c...
>
> Thanks. That's useful.
>
>
>
>>
>> What if I want to have other ways to authenticate the REST service (e.g.
>> access from multiple clients)?
>>
>
> Not sure what you mean about this
>
>
> For example, lets assume we have 2 apps, authenticating against the same
> Keycloak realm, but as separate clients.
> Both hit the same REST service and pass through their token to that
> service.
> How is the REST service to authenticate the requests?
> All it really needs to to is check that the tokens are valid and come
> from the expected (keycloak) source, even though the tokens were generated
> for different clients.
> Is there an adapter that handles this?
>
> Tim
>
>
>
>>
>>
>> Tim
>>
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
3043
days inactive
3043
days old
1 comments
2 participants
participants (2)
-
Stian Thorgersen -
Tim Dudgeon