[keycloak-dev] Multi tenant review
Juraci Paixão Kröhling
juraci at kroehling.de
Wed Oct 29 06:56:31 EDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 10/29/2014 11:23 AM, Juraci Paixão Kröhling wrote:
> On 10/28/2014 04:54 PM, Stian Thorgersen wrote:
>> 3. CatalinaSessionTokenStore.checkCurrentToken - can you figure
>> out the realm if the session was serialized? when adapter is
>> clustered we support serializing the session
>
> I'm then changing one of the SecurityContext's to include the
> realm, so that it gets de-serialized with this information. Now,
> the question is whether it is more appropriate to add it to
> KeycloakSecurityContext or RefreshableKeycloakSecurityContext. On
> the superclass (KeycloakSecurityContext), I have access only to
> IdToken and AccessToken. I believe both have ways to retrieve the
> realm (issuer, I believe), but I don't know how reliable this is. I
> remember seeing a post from Bill on keycloak-user that it should be
> changed to an URL, not the realm name. On the subclass, however, I
> have access to the KeycloakDeployment, which provides the realm on
> the exact way that it was originally configured.
About this one: I added a new constructor parameter to the superclass,
as all callers did have access to the realm name. So, provided that
storing the realm on the security context is appropriate, this is solved.
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCgAGBQJUUMffAAoJEDnJtskdmzLMA5kIAJSFLqowZHs9Qdb6D4gtd7Fn
tqDyL8g+UXsa0XaCHeXEBmOFalyJ9dsANvsliQE1yOjTyZr3nJUHsbwFbH3ALjyZ
UB1D/TLeQRE5nhW3FAs9VlgvLuDRsZKsVaasu0NptjhOyE++x8EuToJ2YJpu3cCA
2Gaeb1QmqNO3svc8x46t6k7btZ7FXDPuXZQFGF6KDlUYGwKBx/8sIp2mA6h5gvX+
3EuFKDh65dJE+t9SoZy0/7lNOsjVuCsCWV7Be99WLbTFnVZSMlXtTP2+sbOSd5xB
saipMZ43/Oz9vaIy2wGbf8kTAZumL2PIpcegkpvyMC2c8SD/AhdNkZ7RxdOMQ9E=
=sDEU
-----END PGP SIGNATURE-----
More information about the keycloak-dev
mailing list