[keycloak-user] REST -> Backend App
Red Samh
redsamh at gmail.com
Fri Sep 5 15:23:49 EDT 2014
Bill,
I have rc1 and not rc2, let me check if it works in the newer version. It
may be the version.
Thanks
Sam
On Fri, Sep 5, 2014 at 3:13 PM, Red Samh <redsamh at gmail.com> wrote:
> Bill,
>
> I am able to get the example to work and it is fine if I am calling REST
> service to any other REST service (any number of hops). Does it work if you
> try to access another web application (just submit a form, access content
> or anything) that is authenticated by Keycloak or Are you able to make a
> call from the REST Service to a web application that is configured with
> Keycloak?
>
> See attached explanation.
>
> Thanks
> Sam
>
>
> On Fri, Sep 5, 2014 at 2:41 PM, Bill Burke <bburke at redhat.com> wrote:
>
>> You're going to have to elaborate on your problem as I was unable to
>> reproduce it.
>>
>> I took examples/preconfigured-demo/customer-app and added the database/
>> projects Java files to it. I was able to deploy this application and do
>> both web and bearer auth from the same war.
>>
>> Are you using latest Keycloak? 1.0-rc2?
>>
>> On 9/5/2014 1:31 PM, Red Samh wrote:
>>
>>>
>>> Thanks Bill, much appreciated. Is there something I can do in the
>>> interim even if it is a hack?. I was looking at adapter code or even
>>> something I can hardcode in the rest service to pull out the user
>>> information and make the call to the back end application?
>>>
>>> Thanks
>>> Sam
>>>
>>> On Sep 5, 2014 1:19 PM, "Bill Burke" <bburke at redhat.com
>>> <mailto:bburke at redhat.com>> wrote:
>>>
>>> A pure servlet filter is on the roadmap, but it wouldn't be as
>>> seemlessly integrated. I'll take a look at your problem.
>>>
>>> On 9/5/2014 11:59 AM, Red Samh wrote:
>>>
>>>
>>> Eap 6.x, it would be nice if i could generalize to any war
>>> deployed to
>>> to tomcat or jetty.
>>>
>>> Thanks
>>> Sam
>>>
>>> On Sep 5, 2014 11:51 AM, "Bill Burke" <bburke at redhat.com
>>> <mailto:bburke at redhat.com>
>>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>>
>>> Wildfly or JBoss EAP 6.x or JBoss AS 7.1?
>>>
>>>
>>> On 9/5/2014 11:49 AM, Red Samh wrote:
>>>
>>> Bill,
>>>
>>> Thanks for the reply.
>>>
>>> Yes it works when I have to call REST to another REST
>>> service
>>> and any
>>> number of hops. The problem is calling a full fledged
>>> application from
>>> a REST service that I have the issue. When it is an
>>> application
>>> that is
>>> both Web App + REST and I add the authorization header
>>> (bearer)
>>> I get an
>>> unauthorized 401 (blackbox in the attachment).
>>>
>>> Thanks
>>> Sam
>>>
>>>
>>> On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke
>>> <bburke at redhat.com <mailto:bburke at redhat.com>
>>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
>>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>
>>> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
>>>
>>> Should work. You'll have to actually describe
>>> what your
>>> problem is or I
>>> can't help you. I'll take a guess though:
>>>
>>> Keycloak doesn't propagate the Authorization
>>> bearer token
>>> header
>>> automatically when you have multiple REST "hops"
>>> between
>>> multiple
>>> servers You'll have to obtain the access token
>>> and set up
>>> the HTTP
>>> header manually. The demo customer-portal example
>>> in the
>>> distro does
>>> exactly this, so take a look at that for more
>>> details.
>>>
>>> On 9/5/2014 10:58 AM, Red Samh wrote:
>>> > Hello,
>>> >
>>> > We have an application that is protected using
>>> Keycloak
>>> and a
>>> user can
>>> > access this application through a web front.
>>> After login
>>> the user can
>>> > use the functionality of the application. The
>>> application is also
>>> > exposed through REST API's and is protected via
>>> keycloak
>>> as part
>>> of the
>>> > application and accessible only after login
>>> into the main
>>> application.
>>> >
>>> > We have a
>>> >
>>> > (Step 1) Javascript application (retrieving
>>> data from) ->
>>> >
>>> > (Step 2) Business Application exposed as REST
>>> API (REST
>>> API has
>>> to make
>>> > calls to backend Application mentioned above) ->
>>> >
>>> > (Step 3) BackEnd Application Server + REST API.
>>> >
>>> > Directly accessing the BackEnd Application
>>> Server works
>>> fine but
>>> when we
>>> > need to call the REST API from another REST
>>> service which is
>>> > authenticated via Keycloak we have issues.
>>> >
>>> > We used the existing sample to try and do a POC
>>> but not
>>> sure what
>>> is the
>>> > best approach to solve this issue. The part
>>> from (Step
>>> 1) to (Step 2)
>>> > works and the REST API is protected using
>>> BEARER token.
>>> The (Step
>>> 2) to
>>> > (Step 3) is a problem as in (Step 2) we only
>>> have the BEARER
>>> token and
>>> > the BackEnd Application is protected using the
>>> full keycloak
>>> > configuration. So The BackEnd Application
>>> service is not
>>> authenticating
>>> > by sending in only the BEARER token in the
>>> header which
>>> is a full
>>> > keycloak installation (work as only a web
>>> service).
>>> >
>>> > Thanks
>>> > Sam
>>> >
>>> >
>>> > ______________________________
>>> _____________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> <mailto:keycloak-user at lists.jboss.org>
>>> <mailto:keycloak-user at lists.__jboss.org
>>> <mailto:keycloak-user at lists.jboss.org>>
>>> <mailto:keycloak-user at lists.
>>> <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>> <mailto:keycloak-user at lists.__jboss.org
>>> <mailto:keycloak-user at lists.jboss.org>>>
>>> >
>>> https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>> <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>>>
>>> <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
>>> >
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> ______________________________
>>> _____________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.
>>> jboss.org>
>>> <mailto:keycloak-user at lists.__jboss.org
>>> <mailto:keycloak-user at lists.jboss.org>>
>>> <mailto:keycloak-user at lists.
>>> <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>> <mailto:keycloak-user at lists.__jboss.org
>>> <mailto:keycloak-user at lists.jboss.org>>>
>>> https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>> <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>>>
>>> <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
>>>
>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>>
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140905/ce55fd22/attachment-0001.html
More information about the keycloak-user
mailing list