Looking at this more closely, it seems like it's related to the fact
that I'm using a different domain for my keycloak server. I'm not sure
why, but when I switch the server from "bearer-only" to
"enable-basic-auth" I immediately see a 'code' query param start showing
up in the URLs my UI uses. At the same time, I start seeing 'No state
cookie' in the server output.
Knowing that cookies are tied to the domain in which they're created,
could it be that redirecting to a different domain for keycloak
authentication breaks the bearer auth to my REST server? If so, why
would it (and the use of the 'code' query param) change when going from
"bearer-only" -> "enable-basic-auth"?
I haven't set breakpoints and debugged this yet. It's not awesome that
an app user can't determine enough from the (extensive) configuration
guide to be able to do this without setting up a debugger...Do you have
a FAQ / Troubleshooting area where these things can be logged so the
next user doesn't have to spend days on this?
On 07/15/2015 10:56 AM, Juraci Paixão Kröhling wrote:
It should *not* be needed. In Hawkular, we don't need to do
anything
extra to get the backend adapter to accept bearer tokens *and* basic
authentication. I'd say that you are missing some configuration entry.
I'd recommend putting a breakpoint on those places and then following
the code:
http://git.io/vml9j
http://git.io/vmlXS
http://git.io/vm3Qj
- Juca.
On 07/15/2015 05:17 PM, John Casey wrote:
> Actually, that's where I started before I originally asked this list.
> From following the configuration examples there, and checking my realm
> configuration against that in the example, I was only able to setup ONE
> OR THE OTHER of the following cases (never both):
>
> - basic authentication worked on the REST server, when using curl as a
> client
>
> - the UI worked, using a bearer token (the javascript adapter was doing
> the actual sign-in)
>
> After taking Bill's advice to look at implementing another LoginModule,
> I came up with this:
>
>
http://bit.ly/1CH4kdU
>
> This actually satisfies both cases by doing the BASIC -> Bearer
> translation on the server side, then passing it on to Keycloak's
> authentication mechanisms...but I'm not sure it's the most elegant solution.
>
> On 07/15/2015 02:17 AM, Stian Thorgersen wrote:
>> Have a look at basic-auth example, it's included in the examples dl.
>>
>> ----- Original Message -----
>>> From: "John Casey" <jdcasey(a)commonjava.org>
>>> To: "Bill Burke" <bburke(a)redhat.com>,
keycloak-user(a)lists.jboss.org
>>> Sent: Tuesday, 14 July, 2015 9:23:46 PM
>>> Subject: Re: [keycloak-user] help with bearer + basic auth
>>>
>>> Well, when I use "enable-basic-auth" this works fine:
>>>
>>> $ curl -u test -i
http://localhost:8081/api/admin/remote
>>> Enter host password for user 'test':
>>> HTTP/1.1 200 OK
>>> ...
>>>
>>> However, that configuration causes the UI use a 'code' query param
and
>>> encounter 400 responses. In the keycloak server output I see:
>>>
>>> 19:19:07,524 WARN [org.keycloak.events] (default task-7)
>>> type=REFRESH_TOKEN_ERROR, realmId=master,
>>> clientId=security-admin-console, userId=null, ipAddress=127.0.0.1,
>>> error=invalid_token
>>>
>>> I'm looking through the code keycloak uses to supply an authentication
>>> mechanism to undertow now, to hopefully come with a way to handle basic
>>> auth...maybe through a wrapper auth mech around keycloak?
>>>
>>> Do you have any samples / hints I might be able to follow? I'll admit,
>>> this is the first time I've had to look this closely at servlet/web auth
>>> mechanisms.
>>>
>>>
>>> On 07/14/2015 11:16 AM, Bill Burke wrote:
>>>> IIRC, the basic auth switch is so that you can send the token via basic
>>>> auth rather than as bearer auth. This is really only useful when you
>>>> can't use a keycloak adapter, but can implement a LoginModule or
>>>> something. It has nothing to do with basic auth.
>>>>
>>>> On 7/14/2015 12:04 PM, John Casey wrote:
>>>>> On 07/14/2015 10:49 AM, Juraci Paixão Kröhling wrote:
>>>>>> On 07/14/2015 05:32 PM, John Casey wrote:
>>>>>>> ...but it doesn't seem to have a javascript UI or
anything using bearer
>>>>>>> tokens to verify that it works that way.
>>>>>>
>>>>>> Not sure I understood your question, but removing the
"bearer-only" and
>>>>>> adding "enable-basic-auth" should be enough to have
your server adapter
>>>>>> to accept both bearer tokens and basic auth.
>>>>>>
>>>>>
>>>>> This is exactly what I'm trying to do. I've tried removing
"bearer-only"
>>>>> and replaced it with "enable-basic-auth"...which has two
effects:
>>>>>
>>>>> - basic auth via curl works (it didn't before the change)
>>>>>
>>>>> - the UI (using javascript adapter + bearer token) gets 400 Bad
Request
>>>>>
>>>>>
>>>>> Are you using the javascript adapter to login for your UI, passing
the
>>>>> bearer token to the server? I guess what I'm asking is if your
>>>>> application actually uses both methods (basic auth and bearer
token)?
>>>>>
>>>>> I'm not sure how to filter my realm json to pare out the
unnecessary
>>>>> stuff, but here's a gist containing the full file (it's on a
test docker
>>>>> container, so no worries about security):
>>>>>
>>>>>
https://gist.github.com/jdcasey/3f934fcd4967b99ebb05
>>>>>
>>>>
>>>
>>> --
>>> John Casey
>>> ---
>>> GitHub:
https://github.com/jdcasey/
>>> Twitter:
http://twitter.com/buildchimp
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user