[keycloak-user] Exchange access token to id token

Ryvlin, Andrey aryvlin at morphotrust.com
Thu Apr 23 20:42:32 EDT 2015


Never mind, I figured it out. Got token from the request header and converted it to AccessToken object

Thanks anyways!

-----Original Message-----
From: Ryvlin, Andrey 
Sent: Thursday, April 23, 2015 11:43 AM
To: Bill Burke; keycloak-user at lists.jboss.org
Subject: RE: [keycloak-user] Exchange access token to id token

Hi Bill,
I need you help!
I created a demo rest service with Keycloak role based security. I use OAuth client to obtain token, which I pass into the request header.
Everything works fine, I pass all security constraints and REST endpoint gets executed.
Now I am trying to get access token from the request as you suggested:
     AccessToken accessToken  = ((KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName())).getToken();

But request.getAttribute(KeycloakSecurityContext.class.getName() returns null;

Here is the code of my REST WS class:
@Path("/")
public class SampleDataService {
	 @Context HttpServletRequest servletRequest; 

	@GET
	@Path("/query")
	@Produces("text/plain")
	public String getData() {
		Enumeration<String>attributes = servletRequest.getAttributeNames();
		StringBuilder names = new StringBuilder("Attributes: ");
		while (attributes.hasMoreElements()) {
			names.append( (String) attributes.nextElement());
			names.append(", ");
		}
		System.out.println("Keycloak security context: "+servletRequest.getAttribute(KeycloakSecurityContext.class.getName()));
		System.out.println("Request "+names.toString());
		return "Sample data for id ";
	}

Console output is like this:
11:28:22,400 DEBUG [org.apache.catalina.realm.RealmBase] (http-/0.0.0.0:8080-1)   Checking constraint 'SecurityConstraint[Admins]' against GET /query --> true
11:28:22,401 DEBUG [org.apache.catalina.realm.RealmBase] (http-/0.0.0.0:8080-1)   Checking constraint 'SecurityConstraint[Admins]' against GET /query --> true
11:28:22,401 DEBUG [org.apache.catalina.realm.RealmBase] (http-/0.0.0.0:8080-1)   Checking constraint 'SecurityConstraint[Admins]' against GET /query --> true
11:28:22,401 DEBUG [org.apache.catalina.realm.RealmBase] (http-/0.0.0.0:8080-1)   Checking constraint 'SecurityConstraint[Admins]' against GET /query --> true
11:28:22,401 DEBUG [org.apache.catalina.realm.RealmBase] (http-/0.0.0.0:8080-1)   No applicable constraint located
11:28:22,401 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-/0.0.0.0:8080-1)  Not subject to any constraint
11:28:22,401 DEBUG [org.keycloak.adapters.tomcat.AuthenticatedActionsValve] (http-/0.0.0.0:8080-1) AuthenticatedActionsValve.invoke /audit/query
11:28:22,401 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler] (http-/0.0.0.0:8080-1) AuthenticatedActionsValve.invoke http://localhost:8080/audit/query
11:28:22,402 INFO  [stdout] (http-/0.0.0.0:8080-1) Keycloak security context: null
11:28:22,403 INFO  [stdout] (http-/0.0.0.0:8080-1) Request Attributes: RESTEASY_CHOSEN_ACCEPT, org.jboss.resteasy.core.ResourceMethodInvoker,

Please advise.

Thanks?
-----------------
Andrey Ryvlin
Principal Software Engineer

Phone: 952-979-8492
5705 W Old Shakopee Road, Suite 100
Bloomington, MN 55437 USA
ARyvlin at MorphoTrust.com
www.MorphoTrust.com




-----Original Message-----
From: Bill Burke [mailto:bburke at redhat.com]
Sent: Friday, April 03, 2015 2:40 PM
To: Ryvlin, Andrey; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Exchange access token to id token

Oh, you have a REST service being invoked on?  And you want to get claim information?  Yes, you can get the access token.

     AccessToken accessToken  =
((KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName())).getToken();


request here is HttpServetRequest

On 4/3/2015 3:29 PM, Ryvlin, Andrey wrote:
> Can I get user id from the access token?
> That's the only token I can get from HTTP Authorization header. Actual login and getting login response happens earlier, at my web application or oauth client.
> So, at my REST implementation class I only have access token.
>
> Thanks!!
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org 
> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
> Sent: Friday, April 03, 2015 2:20 PM
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Exchange access token to id token
>
> Our access tokens are actually JsonWebTokens packaged in a Json Web Signature.  Direct Grant login should also return an IDToken within the Access Token Response.
>
> On 4/3/2015 3:15 PM, Ryvlin, Andrey wrote:
>> Hi,
>>
>> I’m using Keycloak direct grant login to my REST APIs and I need to 
>> get authenticated user information for auditing purpose.
>>
>> At my REST implementation class I can get access token from HTTP 
>> header by using a request interceptor, but I believe that token is 
>> useless for auditing.
>>
>> Is there Keycloak REST API to get id token for the access token?
>>
>> Thank you in advance
>>
>> Andrey Ryvlin
>>
>> Sr. Software Engineer
>>
>>
>> ---------------------------------------------------------------------
>> -
>> --
>>
>> This message is only for the use of the intended recipient and may 
>> contain information that is CONFIDENTIAL and PROPRIETARY to 
>> MorphoTrust USA, Inc. If you are not the intended recipient, please 
>> erase all copies of the message and its attachments and notify the sender immediately.
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> ________________________________
>
> This message is only for the use of the intended recipient and may contain information that is CONFIDENTIAL and PROPRIETARY to MorphoTrust USA, Inc. If you are not the intended recipient, please erase all copies of the message and its attachments and notify the sender immediately.
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com



More information about the keycloak-user mailing list