[keycloak-user] Best way to get subject without adding it as request parameter in cross domain back end REST service
Dean Peterson
peterson.dean at gmail.com
Thu Dec 18 14:59:38 EST 2014
I am able to use a bearer token to call a java REST service from a pure
javascript client. Unfortunately the KeycloakSecurityContext is
essentially empty on the back end. I need to filter and update data by
subject (idToken.subject) Initially I setup my back end REST application
as a bearer token only application; thinking that was the problem, I
switched to a confidential back end application but the
KeycloakSecurityContext is still not populated. In order to communicate
with the service in a cross domain way, I still need to send a bearer
token, regardless of the type of application. I can get the subject in
javascript and add it to the list of request parameters, however, it seems
that leaves me open to anyone with a valid token being able to request
another user's data. What is the best way to handle this kind of situation
using Keycloak?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141218/ca92c6f5/attachment.html
More information about the keycloak-user
mailing list