[keycloak-user] REST services supporting basic auth and bearer tokens

Stian Thorgersen stian at redhat.com
Thu Nov 27 06:06:09 EST 2014


Looks good to me, but I'd like it to be an optional feature that is enabled in keycloak.json (should be disabled by default).

Another thing is that we should add an example + documentation for this feature.

----- Original Message -----
> From: "Gary Brown" <gbrown at redhat.com>
> To: "Marek Posolda" <mposolda at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 27 November, 2014 10:58:21 AM
> Subject: Re: [keycloak-user] REST services supporting basic auth and bearer tokens
> 
> Hi Marek
> 
> ----- Original Message -----
> > Hi,
> > 
> > I am not 100% sure if having basic auth with direct grant directly in
> > our adapters is way to go. Probably yes as for your use-case it makes
> > sense, so I am slightly for push your change as PR. But maybe others
> > from team have different opinion.
> > 
> > Earlier this week I've added DirectAccessGrantsLoginModule to KC
> > codebase, which is quite similar and is intended to be used for non-web
> > applications (like SSH), which rely on JAAS. But I guess that using this
> > one is not good option for you as you want support for Basic and Bearer
> > authentication in same web application, right?
> 
> Thats correct.
> 
> > 
> > Few more minor points to your changes:
> > - Is it possible to use net.iharder.Base64 instead of
> > org.apache.commons.codec.binary.Base64? Whole KC code has dependency on
> > net.iharder, so would be likely better to use this one to avoid possible
> > dependency issues in adapters.
> 
> That shouldn't be a problem.
> 
> > 
> > - Wonder if it's possible to simplify a bit, like have single
> > "completeAuthentication" method for both bearer and basic authenticator
> > (afaik only difference among them is different authMethod right?). But
> > this is really minor.
> 
> Will do.
> 
> I'll wait until mid next week before doing any more on this, to see whether
> others have an opinion.
> 
> If the PR was accepted, any chance it could go into 1.1 even though in beta?
> If no, any idea what the timescale is for 1.2.beta1?
> 
> Thanks for your feedback.
> 
> Regards
> Gary
> 
> > 
> > Marek
> > 
> > On 26.11.2014 14:54, Gary Brown wrote:
> > > Hi
> > >
> > > Concrete use case - we have implemented the OASIS S-RAMP specification,
> > > in
> > > which it requires basic auth support
> > > (http://docs.oasis-open.org/s-ramp/s-ramp/v1.0/s-ramp-v1.0-part2-atom-binding.html
> > > section 5 "The S-RAMP Specification does not attempt to define a security
> > > model for products that implement it.  For the Atom Binding, the only
> > > security requirement is that at a minimum, client and server
> > > implementations MUST be capable of being configured to use HTTP Basic
> > > Authentication in conjunction with a connection made with TLS.").
> > >
> > > However we also need the same service to support bearer token, for use
> > > within our KeyCloak SSO session.
> > >
> > > I've implemented a possible solution, details defined on
> > > https://issues.jboss.org/browse/KEYCLOAK-861.
> > >
> > > If this solution is on the right path, I would appreciate any feedback on
> > > any changes that might be required before submitting a PR. Currently
> > > there
> > > are no tests, but would aim to provide some with the PR.
> > >
> > > Regards
> > > Gary
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> > 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 


More information about the keycloak-user mailing list