[keycloak-user] REST -> Backend App
Bill Burke
bburke at redhat.com
Fri Sep 5 15:35:17 EDT 2014
I doubt the version is the problem.
On 9/5/2014 3:23 PM, Red Samh wrote:
> Bill,
>
> I have rc1 and not rc2, let me check if it works in the newer version.
> It may be the version.
>
> Thanks
> Sam
>
>
> On Fri, Sep 5, 2014 at 3:13 PM, Red Samh <redsamh at gmail.com
> <mailto:redsamh at gmail.com>> wrote:
>
> Bill,
>
> I am able to get the example to work and it is fine if I am calling
> REST service to any other REST service (any number of hops). Does it
> work if you try to access another web application (just submit a
> form, access content or anything) that is authenticated by Keycloak
> or Are you able to make a call from the REST Service to a web
> application that is configured with Keycloak?
>
> See attached explanation.
>
> Thanks
> Sam
>
>
> On Fri, Sep 5, 2014 at 2:41 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
> You're going to have to elaborate on your problem as I was
> unable to reproduce it.
>
> I took examples/preconfigured-demo/__customer-app and added the
> database/ projects Java files to it. I was able to deploy this
> application and do both web and bearer auth from the same war.
>
> Are you using latest Keycloak? 1.0-rc2?
>
> On 9/5/2014 1:31 PM, Red Samh wrote:
>
>
> Thanks Bill, much appreciated. Is there something I can do
> in the
> interim even if it is a hack?. I was looking at adapter code
> or even
> something I can hardcode in the rest service to pull out the
> user
> information and make the call to the back end application?
>
> Thanks
> Sam
>
> On Sep 5, 2014 1:19 PM, "Bill Burke" <bburke at redhat.com
> <mailto:bburke at redhat.com>
> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>
> A pure servlet filter is on the roadmap, but it
> wouldn't be as
> seemlessly integrated. I'll take a look at your problem.
>
> On 9/5/2014 11:59 AM, Red Samh wrote:
>
>
> Eap 6.x, it would be nice if i could generalize to
> any war
> deployed to
> to tomcat or jetty.
>
> Thanks
> Sam
>
> On Sep 5, 2014 11:51 AM, "Bill Burke"
> <bburke at redhat.com <mailto:bburke at redhat.com>
> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
> <mailto:bburke at redhat.com
> <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
> <mailto:bburke at redhat.com>>>> wrote:
>
> Wildfly or JBoss EAP 6.x or JBoss AS 7.1?
>
>
> On 9/5/2014 11:49 AM, Red Samh wrote:
>
> Bill,
>
> Thanks for the reply.
>
> Yes it works when I have to call REST to
> another REST
> service
> and any
> number of hops. The problem is calling a
> full fledged
> application from
> a REST service that I have the issue. When
> it is an
> application
> that is
> both Web App + REST and I add the
> authorization header
> (bearer)
> I get an
> unauthorized 401 (blackbox in the attachment).
>
> Thanks
> Sam
>
>
> On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke
> <bburke at redhat.com <mailto:bburke at redhat.com>
> <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
> <mailto:bburke at redhat.com
> <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
> <mailto:bburke at redhat.com>>>
> <mailto:bburke at redhat.com
> <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
> <mailto:bburke at redhat.com>>
> <mailto:bburke at redhat.com
> <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
> <mailto:bburke at redhat.com>>>>> wrote:
>
> Should work. You'll have to actually
> describe
> what your
> problem is or I
> can't help you. I'll take a guess
> though:
>
> Keycloak doesn't propagate the
> Authorization
> bearer token
> header
> automatically when you have multiple
> REST "hops"
> between
> multiple
> servers You'll have to obtain the
> access token
> and set up
> the HTTP
> header manually. The demo
> customer-portal example
> in the
> distro does
> exactly this, so take a look at that
> for more details.
>
> On 9/5/2014 10:58 AM, Red Samh wrote:
> > Hello,
> >
> > We have an application that is
> protected using
> Keycloak
> and a
> user can
> > access this application through a
> web front.
> After login
> the user can
> > use the functionality of the
> application. The
> application is also
> > exposed through REST API's and is
> protected via
> keycloak
> as part
> of the
> > application and accessible only
> after login
> into the main
> application.
> >
> > We have a
> >
> > (Step 1) Javascript application
> (retrieving
> data from) ->
> >
> > (Step 2) Business Application
> exposed as REST
> API (REST
> API has
> to make
> > calls to backend Application
> mentioned above) ->
> >
> > (Step 3) BackEnd Application
> Server + REST API.
> >
> > Directly accessing the BackEnd
> Application
> Server works
> fine but
> when we
> > need to call the REST API from
> another REST
> service which is
> > authenticated via Keycloak we have
> issues.
> >
> > We used the existing sample to try
> and do a POC
> but not
> sure what
> is the
> > best approach to solve this issue.
> The part
> from (Step
> 1) to (Step 2)
> > works and the REST API is
> protected using
> BEARER token.
> The (Step
> 2) to
> > (Step 3) is a problem as in (Step
> 2) we only
> have the BEARER
> token and
> > the BackEnd Application is
> protected using the
> full keycloak
> > configuration. So The BackEnd
> Application
> service is not
> authenticating
> > by sending in only the BEARER
> token in the
> header which
> is a full
> > keycloak installation (work as
> only a web service).
> >
> > Thanks
> > Sam
> >
> >
> >
> _____________________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> <mailto:keycloak-user at lists.__jboss.org
> <mailto:keycloak-user at lists.jboss.org>>
> <mailto:keycloak-user at lists.
> <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
> <mailto:keycloak-user at lists.__jboss.org
> <mailto:keycloak-user at lists.jboss.org>>>
> <mailto:keycloak-user at lists
> <mailto:keycloak-user at lists>.
> <mailto:keycloak-user at lists
> <mailto:keycloak-user at lists>.>______jboss.org
> <http://jboss.org> <http://jboss.org>
> <mailto:keycloak-user at lists.
> <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
> <mailto:keycloak-user at lists.__jboss.org
> <mailto:keycloak-user at lists.jboss.org>>>>
> >
> https://lists.jboss.org/______mailman/listinfo/keycloak-user
> <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>
> <https://lists.jboss.org/____mailman/listinfo/keycloak-user
> <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>
>
>
> <https://lists.jboss.org/____mailman/listinfo/keycloak-user
> <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>
> <https://lists.jboss.org/__mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>__>
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
> _____________________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> <mailto:keycloak-user at lists.__jboss.org
> <mailto:keycloak-user at lists.jboss.org>>
> <mailto:keycloak-user at lists.
> <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
> <mailto:keycloak-user at lists.__jboss.org
> <mailto:keycloak-user at lists.jboss.org>>>
> <mailto:keycloak-user at lists
> <mailto:keycloak-user at lists>.
> <mailto:keycloak-user at lists
> <mailto:keycloak-user at lists>.>______jboss.org
> <http://jboss.org> <http://jboss.org>
> <mailto:keycloak-user at lists.
> <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
> <mailto:keycloak-user at lists.__jboss.org
> <mailto:keycloak-user at lists.jboss.org>>>>
> https://lists.jboss.org/______mailman/listinfo/keycloak-user
> <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>
> <https://lists.jboss.org/____mailman/listinfo/keycloak-user
> <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>
>
>
> <https://lists.jboss.org/____mailman/listinfo/keycloak-user
> <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>
> <https://lists.jboss.org/__mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>__>
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list