Hi Pulkit,
Authentication happens on the front-end and the given bearer token is used for the
bearer-only client to obtain protected resources. Implicit flow is just another way to
obtain an access (bearer) token from Keycloak.
I'm using the JS adapter and it works for both flows and does not affect the way your
REST services work (includes token validation). I believe you should be good to go once
you got your front-end Keycloak configuration setup correct.
________________________________________
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
on behalf of Pulkit Gupta <pulgupta(a)redhat.com>
Sent: 30 May 2017 11:23
To: keycloak-user
Subject: [keycloak-user] Securing Angular + REST based app using keycloak OIDC
Hi All,
We are looking to integrate an application with Keycloak.
It is an Angular + REST application in which the REST services are
developed in Java and are running on EAP 6.
From my reading I can figure out that we should secure both the front
end
and the back end separately.
The Angular front-end can be secured using JavaScript adapter which will
check if a user has access token and in case not it will redirect it to
Keycloak. Once the user acquires an access token , it send the same token
to the REST services. We can configure REST service as a bearer only client
which will check for the validity of the token against Keycloak and return
the business data. We can use EAP 6 OIDC java adapter for Keycloak to
secure the REST part.
However their is one limitation that our setup only supports implicit flow.
I am sure with Implicit flow we can achieve the angular side of the
authentication. However I am not sure if we can make use of the Java OIDC
adapter to actually validate and secure our rest APIs.
Can you please guide me in case this is achievable with implicit flow.
Regards,
Pulkit
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user