On 1/29/2014 10:58 AM, Nils Preusker wrote:
we are developing an application that consists of several REST
web-applications written with different application frameworks (Java EE
6/ JBoss AS and Vert.x). So far we are
from the skelton-key-as7 template (which as far as I can see, keycloak
is based on?) as an OAuth provider and just add bearer tokens to the
authentication headers of the HTTP requests between the modules.
One of the really nice features for us is that the role mapping of users
is included in the tokens (which is also described in the keycloak docs
with a reference to JSON Web Tokens).
Now the modules that are deployed to JBoss AS transparently verify the
bearer tokens and RESTEasy even takes care of adding the username and
the user roles to the HttpServletRequest which also allows us to use
@RolesAllowed (very convenient!).
What I'm wondering now is whether there is an easy way of adding
validation and decoding of bearer tokens to Vert.x modules. Ideally, I
would like to be able to add a jar dependency that provides me with a
few methods to validate the token (make sure it is a real token, hasn't
been modified and didn't expire...) and extract the user and roles from
it. Since a private key is needed, I guess I would add a json config
file or even just pass the required values to the API directly.
Don't know anything about vert.x, but if you use the keycloak-core
module, it has all the code needed to unmarshal and verify the token.
JBoss, a division of Red Hat