[keycloak-user] Verifying Bearer Tokens in Vert.x
Bill Burke
bburke at redhat.com
Wed Jan 29 11:05:58 EST 2014
On 1/29/2014 10:58 AM, Nils Preusker wrote:
> Hi everybody,
>
> we are developing an application that consists of several REST
> web-applications written with different application frameworks (Java EE
> 6/ JBoss AS and Vert.x). So far we are
> using org.jboss.resteasy.skeleton.key.as7.OAuthAuthenticationServerValve
> from the skelton-key-as7 template (which as far as I can see, keycloak
> is based on?) as an OAuth provider and just add bearer tokens to the
> authentication headers of the HTTP requests between the modules.
>
> One of the really nice features for us is that the role mapping of users
> is included in the tokens (which is also described in the keycloak docs
> with a reference to JSON Web Tokens).
>
> Now the modules that are deployed to JBoss AS transparently verify the
> bearer tokens and RESTEasy even takes care of adding the username and
> the user roles to the HttpServletRequest which also allows us to use
> @RolesAllowed (very convenient!).
>
> What I'm wondering now is whether there is an easy way of adding
> validation and decoding of bearer tokens to Vert.x modules. Ideally, I
> would like to be able to add a jar dependency that provides me with a
> few methods to validate the token (make sure it is a real token, hasn't
> been modified and didn't expire...) and extract the user and roles from
> it. Since a private key is needed, I guess I would add a json config
> file or even just pass the required values to the API directly.
>
Don't know anything about vert.x, but if you use the keycloak-core
module, it has all the code needed to unmarshal and verify the token.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list