[keycloak-user] REST services supporting basic auth and bearer tokens

Marek Posolda mposolda at redhat.com
Thu Nov 27 04:46:21 EST 2014


I am not 100% sure if having basic auth with direct grant directly in 
our adapters is way to go. Probably yes as for your use-case it makes 
sense, so I am slightly for push your change as PR. But maybe others 
from team have different opinion.

Earlier this week I've added DirectAccessGrantsLoginModule to KC 
codebase, which is quite similar and is intended to be used for non-web 
applications (like SSH), which rely on JAAS. But I guess that using this 
one is not good option for you as you want support for Basic and Bearer 
authentication in same web application, right?

Few more minor points to your changes:
- Is it possible to use net.iharder.Base64 instead of 
org.apache.commons.codec.binary.Base64? Whole KC code has dependency on 
net.iharder, so would be likely better to use this one to avoid possible 
dependency issues in adapters.

- Wonder if it's possible to simplify a bit, like have single 
"completeAuthentication" method for both bearer and basic authenticator 
(afaik only difference among them is different authMethod right?). But 
this is really minor.


On 26.11.2014 14:54, Gary Brown wrote:
> Hi
> Concrete use case - we have implemented the OASIS S-RAMP specification, in which it requires basic auth support (http://docs.oasis-open.org/s-ramp/s-ramp/v1.0/s-ramp-v1.0-part2-atom-binding.html section 5 "The S-RAMP Specification does not attempt to define a security model for products that implement it.  For the Atom Binding, the only security requirement is that at a minimum, client and server implementations MUST be capable of being configured to use HTTP Basic Authentication in conjunction with a connection made with TLS.").
> However we also need the same service to support bearer token, for use within our KeyCloak SSO session.
> I've implemented a possible solution, details defined on https://issues.jboss.org/browse/KEYCLOAK-861.
> If this solution is on the right path, I would appreciate any feedback on any changes that might be required before submitting a PR. Currently there are no tests, but would aim to provide some with the PR.
> Regards
> Gary
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list