[keycloak-dev] Custom REST endpoint - how to make sure that only admins can call it?

Johannes Knutsen johannes at kodet.no
Tue Nov 6 08:17:32 EST 2018


Hi Marco!

I think you should have a look at the AccountRestService,
https://github.com/keycloak/keycloak/blob/11374a27078266bebe5239d595796589e78bae9d/services/src/main/java/org/keycloak/services/resources/account/AccountRestService.java,
and AccountLoader,
https://github.com/keycloak/keycloak/blob/11374a27078266bebe5239d595796589e78bae9d/services/src/main/java/org/keycloak/services/resources/account/AccountLoader.java.
This is how role checking is done internally in Keycloak and should
work in a custom REST endpoint as well.

Typically something like this should be a good start:

AuthenticationManager.AuthResult authResult = new
AppAuthManager().authenticateBearerToken(session);
if (authResult == null) {
    throw new NotAuthorizedException("Bearer token required");
}
Auth auth = new Auth(session.getContext().getRealm(),
authResult.getToken(), authResult.getUser(), client,
authResult.getSession(), false);

The Auth object has several methods to do role checks:
auth.hasOneOfAppRole, auth.hasRealmRole, auth.hasClientRole, and
auth.hasOneOfRealmRole.

Hope this gets you started :)

Regards,
Johannes Knutsen

On Tue, Nov 6, 2018 at 1:45 PM <marco.scheuermann at daimler.com> wrote:
>
> Using correct dev mailing list...
>
> Von: "Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
> Datum: Dienstag, 6. November 2018 um 13:41
> An: "keycloak-dev-bounces at lists.jboss.org" <keycloak-dev-bounces at lists.jboss.org>
> Cc: "Herrmann, David Christian (059)" <david_christian.herrmann at daimler.com>
> Betreff: Custom REST endpoint - how to make sure that only admins can call it?
>
> Hi Community,
>
> we just implemented a custom REST endpoint based on
>
>
> org.keycloak.services.resource.RealmResourceProvider;
>
> How can we make sure that only users with admin role can call these endpoints?
>
> Due to the fact that it is a SPI implementation, I have not deployment descriptors to configure security for the endpoint...
>
> Greetings,
> Marco
>
> If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev


More information about the keycloak-dev mailing list