[keycloak-user] Best way to get subject without adding it as request parameter in cross domain back end REST service

Bill Burke bburke at redhat.com
Mon Dec 22 10:25:57 EST 2014


So, with Bearer token auth, the KeycloakSecurityContext is null?  Or it 
doesn't have any information?

On 12/18/2014 2:59 PM, Dean Peterson wrote:
> I am able to use a bearer token to call a java REST service from a pure
> javascript client.  Unfortunately the KeycloakSecurityContext is
> essentially empty on the back end.  I need to filter and update data by
> subject (idToken.subject)  Initially I setup my back end REST
> application as a bearer token only application; thinking that was the
> problem, I switched to a confidential back end application but the
> KeycloakSecurityContext is still not populated.  In order to communicate
> with the service in a cross domain way, I still need to send a bearer
> token, regardless of the type of application.  I can get the subject in
> javascript and add it to the list of request parameters, however, it
> seems that leaves me open to anyone with a valid token being able to
> request another user's data.  What is the best way to handle this kind
> of situation using Keycloak?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list