[keycloak-user] Best way to get subject without adding it as request parameter in cross domain back end REST service
Dean Peterson
peterson.dean at gmail.com
Fri Dec 19 14:07:53 EST 2014
Ok I found the answer by reading the question just above mine: "Obtaining
the username from the security context". I did not realize that
session.getToken() contained the information I need. I was checking in
session.getIdToken().
On Thu, Dec 18, 2014 at 1:59 PM, Dean Peterson <peterson.dean at gmail.com>
wrote:
> I am able to use a bearer token to call a java REST service from a pure
> javascript client. Unfortunately the KeycloakSecurityContext is
> essentially empty on the back end. I need to filter and update data by
> subject (idToken.subject) Initially I setup my back end REST application
> as a bearer token only application; thinking that was the problem, I
> switched to a confidential back end application but the
> KeycloakSecurityContext is still not populated. In order to communicate
> with the service in a cross domain way, I still need to send a bearer
> token, regardless of the type of application. I can get the subject in
> javascript and add it to the list of request parameters, however, it seems
> that leaves me open to anyone with a valid token being able to request
> another user's data. What is the best way to handle this kind of situation
> using Keycloak?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141219/05d4a07d/attachment.html
More information about the keycloak-user
mailing list