[keycloak-user] Get the user of the current request from the KeycloakSession?
Bill Burke
bburke at redhat.com
Wed Dec 16 09:52:30 EST 2015
On 12/16/2015 9:37 AM, Erik Mulder wrote:
> Seems like a simple scenario, but I can't figure it out: I have an
> instance of the KeycloakSession and I want to get the UserModel for the
> current request. Is this possible?
>
> Context: I'm creating a custom REST service that runs inside keycloak
> and needs to get some data that is related to the current authenticated
> user. For instance the realm and client I can get through the
> session.getContext().getClient/Realm(). I would expect a getUser() there
> too, but I can't find it anywhere 'in' the session.
>
> If this isn't possible, shouldn't it be? Or if not, why not?
>
I'm assuming this REST request is from a browser Javascript client?
Login sessions are maintained only through a cookie. You'd have to
login through the browser first, then read the cookie.
BTW, cookies are a really bad way of securing a REST interface. Your
REST interface becomes vulnerable to CSRF attacks. I suggest you use a
token to secure your REST interface. If you are already using
keycloak.js to login in, you can obtain the token from the Keycloak
javascript interface and use that to invoke your service.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list