[keycloak-dev] Application and server in separate networks

Christian Beikov christian.beikov at gmail.com
Wed Apr 18 12:16:47 EDT 2018 

As far as I see in the code, the Java Adapters always use the standard 
flow i.e. response_type=code

Please tell me this observation is wrong and there is an undocumented 
setting I just didn't see that I can use to tell the adapter to use the 
implicit flow instead :|

If this is really missing, where would you suggest this should be 
configured? I'd expect the setting to be in KeycloakDeployment and 
OAuthRequestAuthenticator#loginRedirect would then use the value instead 
of always using the "code" value.


Mit freundlichen Grüßen,
------------------------------------------------------------------------
*Christian Beikov*
Am 18.04.2018 um 17:35 schrieb Christian Beikov:
>
> Is there any way to avoid the access code to access token exchange? 
> Since the Keycloak server is not accessible, I'm getting an error 
> during authentication:
>
>  ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default 
> task-54) failed to turn code into token: 
> java.net.UnknownHostException: blabla.local: unknown error
>         ...
>         at 
> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:111)
>         at 
> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:330)
>         at 
> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:275)
>         at 
> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:139)
>         at 
> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>         at 
> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)
>         ...
>
>
> Mit freundlichen Grüßen,
> ------------------------------------------------------------------------
> *Christian Beikov*
> Am 18.04.2018 um 14:48 schrieb Thomas Darimont:
>> Hello Christian,
>>
>> your application server needs to communicate with the Keycloak server 
>> to retrieve the realm public key referenced in the token to verify 
>> the token signature.
>> The current implementation in Keycloak fetches & caches unknown 
>> public keys automatically.
>>
>> You could also use a fixed realm public key on the application server 
>> side but it would not support key rotation anymore.
>>
>> Cheers,
>> Thomas
>>
>> 2018-04-18 13:45 GMT+02:00 Christian Beikov 
>> <christian.beikov at gmail.com <mailto:christian.beikov at gmail.com>>:
>>
>>     Hi,
>>
>>     is it necessary that an application secured by Keycloak can
>>     access the
>>     Keycloak server? Or is it enough if the Browser can access the
>>     Keycloak
>>     server?
>>
>>     -- 
>>
>>     Mit freundlichen Grüßen,
>>     ------------------------------------------------------------------------
>>     *Christian Beikov*
>>     _______________________________________________
>>     keycloak-dev mailing list
>>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>     <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>>
>>
>

More information about the keycloak-dev mailing list