[keycloak-user] Best way to get subject without adding it as request parameter in cross domain back end REST service

Dean Peterson peterson.dean at gmail.com
Fri Dec 19 14:07:53 EST 2014


Ok I found the answer by reading the question just above mine: "Obtaining
the username from the security context".  I did not realize that
session.getToken() contained the information I need.  I was checking in
session.getIdToken().

On Thu, Dec 18, 2014 at 1:59 PM, Dean Peterson <peterson.dean at gmail.com>
wrote:

> I am able to use a bearer token to call a java REST service from a pure
> javascript client.  Unfortunately the KeycloakSecurityContext is
> essentially empty on the back end.  I need to filter and update data by
> subject (idToken.subject)  Initially I setup my back end REST application
> as a bearer token only application; thinking that was the problem, I
> switched to a confidential back end application but the
> KeycloakSecurityContext is still not populated.  In order to communicate
> with the service in a cross domain way, I still need to send a bearer
> token, regardless of the type of application.  I can get the subject in
> javascript and add it to the list of request parameters, however, it seems
> that leaves me open to anyone with a valid token being able to request
> another user's data.  What is the best way to handle this kind of situation
> using Keycloak?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141219/05d4a07d/attachment.html 


More information about the keycloak-user mailing list