[keycloak-user] Recommendations for protecting REST service with bearer token and basic auth

Bill Burke bburke at redhat.com
Mon Nov 10 08:38:35 EST 2014


With basic auth, you have zero control over the client and you're 
handing over credentials to that client.  Simple and easy for "hello 
world" apps sure.

On 11/10/2014 3:20 AM, Gary Brown wrote:
> Currently its for backward compatibility, maintaining the same simple authentication approach for existing clients using the REST services.
>
> However basic auth is a standard (and simple) approach, so I could see some cases where it would be preferred by app developers rather than accessing a keycloak specific service to obtain a token. One relevant case would be API management - if a backend service was protected by keycloak, I believe it would require a specific authentication module to obtain a token per request (unless the token could be cached somewhere).
>
> So I think having the basic auth support will provide flexibility.
>
> Regards
> Gary
>
> ----- Original Message -----
>> If you are using Keycloak, I don't understand why you would want to do
>> basic auth.
>>
>> Eventually I'm going to write a JAAS plugin for simple username/password
>> with Keycloak, but I have other stuff in my queue at the moment.  For
>> your application, you'd have to write something that obtained a admin
>> token and verified username password and downloaded role mappings.
>>
>> On 11/7/2014 9:16 AM, Gary Brown wrote:
>>> Hi
>>>
>>> I've just started looking at KeyCloak to use with the Overlord governance
>>> projects.
>>>
>>> I have tried the examples, and see how we could leverage KeyCloak to
>>> protect the UI apps and the backend REST services they use. However we
>>> also need to provide the REST services as independent services using basic
>>> auth - but would like the basic auth to be performed against the users
>>> managed by KeyCloak.
>>>
>>> Is there any recommendations on how this can be achieved?
>>>
>>> Do we need to provide our own filter - is there any example code to do
>>> this?
>>>
>>> Is it possible to do something via the KeyCloak subsystem configuration
>>> approach, in case we wanted to secure the REST service without modifying
>>> the war?
>>>
>>> Thanks in advance.
>>>
>>> Regards
>>> Gary
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list