[keycloak-user] Get the user of the current request from the KeycloakSession?
Bill Burke
bburke at redhat.com
Wed Dec 16 16:06:56 EST 2015
Sorry I misunderstood you. Sometimes I'm not sure if people understand
basic stuff or not :)
Without knowing what Pedro did for you, I can't help you as its not
something that is in the current codebase.
On 12/16/2015 10:34 AM, Erik Mulder wrote:
> Thanks, but I'm not sure I understand you correctly. Let me clearify:
> - I'm extending the Keycloak REST webservices with some custom
> resources, for instance:
> http://127.0.0.1:8080/auth/realms/<realmId>/docdata/<myResource> (a
> piece of code from Pedro made this possible)
> - I'm implementing an SPI (also from Pedro's change) that gets a
> KeycloakSession object to 'work with'.
> - I do authenticate on the keycloak server using a token (OpenID
> Connect) that I got from a previous succesful login.
> - Somewhere in the Keycloak internals this token is validated and a
> User(Model/Session) is found that corresponds to this token.
> - <assumption>: This User is saved somewhere in the session context
>
> Now, my question is: How can I get hold of this User(Model/Session),
> given that I have just a KeycloakSession object?
>
> Through debugging I see that session.sessions() has a UserSessionEntity
> for my current request, but since there might be more at the same time,
> how can I relate my current request to the one User that is associated
> with it?
>
>
>
> On 16/12/15 15:52, Bill Burke wrote:
>> On 12/16/2015 9:37 AM, Erik Mulder wrote:
>>> Seems like a simple scenario, but I can't figure it out: I have an
>>> instance of the KeycloakSession and I want to get the UserModel for the
>>> current request. Is this possible?
>>>
>>> Context: I'm creating a custom REST service that runs inside keycloak
>>> and needs to get some data that is related to the current authenticated
>>> user. For instance the realm and client I can get through the
>>> session.getContext().getClient/Realm(). I would expect a getUser() there
>>> too, but I can't find it anywhere 'in' the session.
>>>
>>> If this isn't possible, shouldn't it be? Or if not, why not?
>>>
>> I'm assuming this REST request is from a browser Javascript client?
>> Login sessions are maintained only through a cookie. You'd have to
>> login through the browser first, then read the cookie.
>>
>> BTW, cookies are a really bad way of securing a REST interface. Your
>> REST interface becomes vulnerable to CSRF attacks. I suggest you use a
>> token to secure your REST interface. If you are already using
>> keycloak.js to login in, you can obtain the token from the Keycloak
>> javascript interface and use that to invoke your service.
>>
>>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list