[Aerogear-users] Keycloak - validate token on server
Doug Drouillard
douglas.drouillard at gmail.com
Thu Jun 22 07:24:06 EDT 2017
Summers - Yes, this is perfect
https://github.com/auth0/java-jwt#verify-a-token
Thank you for your help!
I was unsure if this was built into any of the Java/Keycloak adapters. This
confirmation helps quite a bit.
I have been running my modified version of aerogear for a couple weeks now
and it works well. The ability to stay in the app using Safari View
Controller + using kc_idp_hint is really nice and makes the native Facebook
/ Google iOS cocoapods seem unnecessary if you are just doing social
sign-in which I believe is the point.
On Mon, Jun 5, 2017 at 3:21 PM, <aerogear-users-request at lists.jboss.org>
wrote:
> Send Aerogear-users mailing list submissions to
> aerogear-users at lists.jboss.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.jboss.org/mailman/listinfo/aerogear-users
> or, via email, send a message with subject or body 'help' to
> aerogear-users-request at lists.jboss.org
>
> You can reach the person managing the list at
> aerogear-users-owner at lists.jboss.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Aerogear-users digest..."
>
>
> Today's Topics:
>
> 1. Re: iOS Troubleshooting when server uses a self-signed
> certificate Swift 3 (Polina Koleva)
> 2. Keycloak - validate token on server (Doug Drouillard)
> 3. Re: Keycloak - validate token on server (Summers Pittman)
> 4. Re: Keycloak - validate token on server (Doug Drouillard)
> 5. Re: Keycloak - validate token on server (Summers Pittman)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 29 May 2017 09:27:59 -0700 (MST)
> From: Polina Koleva <polina.n.koleva at gmail.com>
> Subject: Re: [Aerogear-users] iOS Troubleshooting when server uses a
> self-signed certificate Swift 3
> To: aerogear-users at lists.jboss.org
> Message-ID: <1496075279116-1117.post at n5.nabble.com>
> Content-Type: text/plain; charset=UTF-8
>
> Hey :)
>
> Julio Cesar Sanchez Hernandez wrote
> > Hi.
> >
> > There is something missing on the email you sent.
> >
> > You said
> > I added in my DeviceRegistration.swift file the method:
>
> I have added the code but it is not visible in the email. I place it here
> again (hopefully this time it will work). So this is the implementation of
> the method:
>
> public func urlSession(_session: URLSession, task: URLSessionTask,
> didReceive challenge: URLAuthenticationChallenge, completionHandler:
> (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
> if challenge.protectionSpace.authenticationMethod ==
> NSURLAuthenticationMethodServerTrust && challenge.protectionSpace.host ==
> serverURL.host! {
> let credentials = URLCredential(trust:
> challenge.protectionSpace.serverTrust!)
>
> completionHandler(Foundation.URLSession.AuthChallengeDisposition.
> useCredential,
> credentials)
> } else {
>
> completionHandler(Foundation.URLSession.AuthChallengeDisposition.
> cancelAuthenticationChallenge,
> nil)
> }
> }
>
>
>
> Julio Cesar Sanchez Hernandez wrote
> > Do you see any error message on Xcode console? If yes, share them.
>
> Yes, it is written that the server is not trusted because of the
> self-signed
> certificate.
> This is the error:
>
> Error Registering with UPS: The certificate for this server is invalid. You
> might be connecting to a server that is pretending to be ?x.x.x.x? which
> could put your confidential information at risk.
>
>
> Julio Cesar Sanchez Hernandez wrote
> > Do you have a paid Apple developer account?
>
> Yes, I have a developer account.
>
>
> Julio Cesar Sanchez Hernandez wrote
> > Are you testing on a real device?
>
> Yes, I am testing on a real device.
>
>
> Julio Cesar Sanchez Hernandez wrote
> > Is the device asking for the push permissions?
>
> Yes, the app asks for permission to receive push notifications. But it
> cannot connect to the server.
>
>
> Julio Cesar Sanchez Hernandez wrote
> > Is your server available online so I can take a look?
>
> No, I am running the ups on my local machine.
>
> Thanks.
> On Mon, May 29, 2017 at 2:57 PM, Polina Koleva <polina.n.koleva@>
> wrote:
>
> > Hey,
> > I am trying to run Swift 3 HelloWorld app ( HelloWorldSwift
> > <https://github.com/aerogear/aerogear-ios-cookbook/tree/
> > master/UnifiedPushHelloWorld>
> > ) but I have a problem with the self-signed certificate.
> > Looking at the documentation ( ios troubleshooting
> > <https://aerogear.org/docs/unifiedpush/aerogear-push-ios/
> > guides/#troubleshooting>
> > ) and changing it a little bit for Swift 3 , I added in my
> > DeviceRegistration.swift file the method:
> >
> >
> >
> > But it still doesn't work. The method is not invoked at all. Do I miss
> > something?
> >
> > Any help will be appreciated.
> >
> > Polina
> >
> >
> >
> > --
> > View this message in context: http://aerogear-users.1116366.
> > n5.nabble.com/iOS-Troubleshooting-when-server-uses-a-self-signed-
> > certificate-Swift-3-tp1115.html
> > Sent from the aerogear-users mailing list archive at Nabble.com.
> > _______________________________________________
> > Aerogear-users mailing list
> > Aerogear-users at .jboss
> > https://lists.jboss.org/mailman/listinfo/aerogear-users
> >
>
> _______________________________________________
> Aerogear-users mailing list
> Aerogear-users at .jboss
> https://lists.jboss.org/mailman/listinfo/aerogear-users
>
>
>
>
> --
> View this message in context: http://aerogear-users.1116366.
> n5.nabble.com/iOS-Troubleshooting-when-server-uses-a-self-signed-
> certificate-Swift-3-tp1115p1117.html
> Sent from the aerogear-users mailing list archive at Nabble.com.
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 31 May 2017 14:36:45 -0400
> From: Doug Drouillard <douglas.drouillard at gmail.com>
> Subject: [Aerogear-users] Keycloak - validate token on server
> To: aerogear-users at lists.jboss.org
> Message-ID:
> <CAJSu2J6OZWe2miZ5eHg2Ydo9Vip3RE+vt+5yCAcAHg5xceGPrw at mail.
> gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hello,
>
> I am using Aerogear-iOS and I am able to successfully get a JWT from
> keycloak. Say I pass that JWT to a Java web service (that is not wildfly),
> is there a way to easily verify the token? The keycloak adapters for
> undertow and jetty seem beyond my reach. I am using Ninja Framework and the
> undertow integration does not seem feasible in my time frame.
> I was hoping to easily validate token on server, but I can't seem to have
> come across anything. My concern is that I want to disable a user and
> immediately have them disabled, not wait on expiration in token.
>
> I have proposed this question on stack overflow and on the keycloak mailing
> list with no answers so I was hoping to have some luck here.
>
> Thanks.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://lists.jboss.org/pipermail/aerogear-users/
> attachments/20170531/c2f861b8/attachment-0001.html
>
> ------------------------------
>
> Message: 3
> Date: Thu, 1 Jun 2017 07:47:35 -0400
> From: Summers Pittman <supittma at redhat.com>
> Subject: Re: [Aerogear-users] Keycloak - validate token on server
> To: aerogear-users at lists.jboss.org
> Message-ID:
> <CAEQz2CsFi_rkhDrnzDG9GE0fXxhxw16qj983ueF1
> vy8RLpT2nw at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Are you thinking something like this :
> https://github.com/auth0/java-jwt#verify-a-token ?
>
> On Wed, May 31, 2017 at 2:36 PM, Doug Drouillard <
> douglas.drouillard at gmail.com> wrote:
>
> > Hello,
> >
> > I am using Aerogear-iOS and I am able to successfully get a JWT from
> > keycloak. Say I pass that JWT to a Java web service (that is not
> wildfly),
> > is there a way to easily verify the token? The keycloak adapters for
> > undertow and jetty seem beyond my reach. I am using Ninja Framework and
> the
> > undertow integration does not seem feasible in my time frame.
> > I was hoping to easily validate token on server, but I can't seem to have
> > come across anything. My concern is that I want to disable a user and
> > immediately have them disabled, not wait on expiration in token.
> >
> > I have proposed this question on stack overflow and on the keycloak
> > mailing list with no answers so I was hoping to have some luck here.
> >
> > Thanks.
> >
> > _______________________________________________
> > Aerogear-users mailing list
> > Aerogear-users at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-users
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://lists.jboss.org/pipermail/aerogear-users/
> attachments/20170601/34c360c8/attachment-0001.html
>
> ------------------------------
>
> Message: 4
> Date: Mon, 5 Jun 2017 09:11:43 -0400
> From: Doug Drouillard <douglas.drouillard at gmail.com>
> Subject: Re: [Aerogear-users] Keycloak - validate token on server
> To: aerogear-users at lists.jboss.org
> Message-ID:
> <CAJSu2J7YAAh47A57GzLu3hqkYzpfuOLC=SZNaDCKeMpF+AqNbA at mail.
> gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> I ended up forking aerogear and merging in an unmerged PR that exposed
> Safari View Controller (I am targeting iOS 9+) and then also modified to
> allow for passing of kc_idp_hint.
>
> https://github.com/drouillard/aerogear-ios-oauth2
>
> It is nice and clean and avoids the user experience issues that motivated
> my original question. E.g. embedded views dont work with Google sign-in and
> the external safari makes user answer an additional prompt (Open in 'app
> name') plus risks leaving them in no-persons land if they cancel.
>
> For my active account question I likely can just use the Admin API can
> check outright for if user is enabled.
>
> Still researching best Java client to use in my case as it seems like i am
> in a bearer-only situation. The aerogear code is easier to follow as there
> is not intermixing of session/server logic like the servlet examples I have
> seen.
> Verifying the JWT on local server is easy and likely good enough but I
> believe there should be a way to verify it with the keycloak server if
> desired using certificates/possibly open-id end points. I am working in a
> high fraud situation so need all options available.
>
> Will update this thread as they appear in Google search results.
>
> On Wed, May 31, 2017 at 2:36 PM, Doug Drouillard <
> douglas.drouillard at gmail.com> wrote:
>
> > Hello,
> >
> > I am using Aerogear-iOS and I am able to successfully get a JWT from
> > keycloak. Say I pass that JWT to a Java web service (that is not
> wildfly),
> > is there a way to easily verify the token? The keycloak adapters for
> > undertow and jetty seem beyond my reach. I am using Ninja Framework and
> the
> > undertow integration does not seem feasible in my time frame.
> > I was hoping to easily validate token on server, but I can't seem to have
> > come across anything. My concern is that I want to disable a user and
> > immediately have them disabled, not wait on expiration in token.
> >
> > I have proposed this question on stack overflow and on the keycloak
> > mailing list with no answers so I was hoping to have some luck here.
> >
> > Thanks.
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://lists.jboss.org/pipermail/aerogear-users/
> attachments/20170605/42fca23f/attachment-0001.html
>
> ------------------------------
>
> Message: 5
> Date: Mon, 5 Jun 2017 14:42:36 -0400
> From: Summers Pittman <supittma at redhat.com>
> Subject: Re: [Aerogear-users] Keycloak - validate token on server
> To: aerogear-users at lists.jboss.org
> Message-ID:
> <CAEQz2Cs7_Nc9SYaPNmVhe3kRfx=6mWBdC4o58zX9jRgXt_Wknw at mail.
> gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> On Mon, Jun 5, 2017 at 9:11 AM, Doug Drouillard <
> douglas.drouillard at gmail.com> wrote:
>
> > I ended up forking aerogear and merging in an unmerged PR that exposed
> > Safari View Controller (I am targeting iOS 9+) and then also modified to
> > allow for passing of kc_idp_hint.
> >
> > https://github.com/drouillard/aerogear-ios-oauth2
> >
> > It is nice and clean and avoids the user experience issues that motivated
> > my original question. E.g. embedded views dont work with Google sign-in
> and
> > the external safari makes user answer an additional prompt (Open in 'app
> > name') plus risks leaving them in no-persons land if they cancel.
> >
> > For my active account question I likely can just use the Admin API can
> > check outright for if user is enabled.
> >
> > Still researching best Java client to use in my case as it seems like i
> am
> > in a bearer-only situation. The aerogear code is easier to follow as
> there
> > is not intermixing of session/server logic like the servlet examples I
> have
> > seen.
> > Verifying the JWT on local server is easy and likely good enough but I
> > believe there should be a way to verify it with the keycloak server if
> > desired using certificates/possibly open-id end points. I am working in a
> > high fraud situation so need all options available.
> >
> > Will update this thread as they appear in Google search results.
> >
>
> +1 Thanks for the feedback, and I will keep an eye out for your updates.
>
>
> >
> > On Wed, May 31, 2017 at 2:36 PM, Doug Drouillard <
> > douglas.drouillard at gmail.com> wrote:
> >
> >> Hello,
> >>
> >> I am using Aerogear-iOS and I am able to successfully get a JWT from
> >> keycloak. Say I pass that JWT to a Java web service (that is not
> wildfly),
> >> is there a way to easily verify the token? The keycloak adapters for
> >> undertow and jetty seem beyond my reach. I am using Ninja Framework and
> the
> >> undertow integration does not seem feasible in my time frame.
> >> I was hoping to easily validate token on server, but I can't seem to
> have
> >> come across anything. My concern is that I want to disable a user and
> >> immediately have them disabled, not wait on expiration in token.
> >>
> >> I have proposed this question on stack overflow and on the keycloak
> >> mailing list with no answers so I was hoping to have some luck here.
> >>
> >> Thanks.
> >>
> >
> >
> > _______________________________________________
> > Aerogear-users mailing list
> > Aerogear-users at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-users
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://lists.jboss.org/pipermail/aerogear-users/
> attachments/20170605/882e972c/attachment.html
>
> ------------------------------
>
> _______________________________________________
> Aerogear-users mailing list
> Aerogear-users at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-users
>
>
> End of Aerogear-users Digest, Vol 33, Issue 1
> *********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-users/attachments/20170622/7861f101/attachment-0001.html
More information about the Aerogear-users
mailing list