[keycloak-user] Rest endpoint and AngularJS client

Stian Thorgersen stian at redhat.com
Mon Feb 2 03:13:04 EST 2015



----- Original Message -----
> From: "Mohan Radhakrishnan" <Mohan.Radhakrishnan at cognizant.com>
> To: keycloak-user at lists.jboss.org
> Sent: Saturday, 31 January, 2015 1:42:39 PM
> Subject: [keycloak-user] Rest endpoint and AngularJS client
> 
> 
> 
> Hi,
> 
> This is my first post. We have a large HealthCare domain Rest application
> with an AngularJS client. We may require role-based access control of HTML
> views. We can consult LDAP to get these. But due to some internal reasons we
> are not going to use OAuth now. It may be a future enhancement.
> 
> 
> 
> Are these types of HTML5/JS applications still protected effectively based on
> roles ? I wanted to know before I start reading more about Keycloak because
> OAuth is not used now.

An HTML5/JS application doesn't have any access control. All it can do is hide features a user can't access. The access control has to be done on the REST endpoints. This is a perfect fit for OpenID Connect.

When you login to Keycloak your app is given a token, that includes the roles the user can access. These can then be used by the AngularJS app to enable/disable features. When invoking REST endpoints the token is passed along, which then allows the REST endpoints to verify if the user has access to the requested resource or not.

In summary Keycloak and OpenID Connect are perfect fits for the type of application you're doing.

> 
> 
> 
> 
> 
> 
> 
> Thanks,
> 
> Mohan
> This e-mail and any files transmitted with it are for the sole use of the
> intended recipient(s) and may contain confidential and privileged
> information. If you are not the intended recipient(s), please reply to the
> sender and destroy all copies of the original message. Any unauthorized
> review, use, disclosure, dissemination, forwarding, printing or copying of
> this email, and/or any action taken in reliance on the contents of this
> e-mail is strictly prohibited and may be unlawful. Where permitted by
> applicable law, this e-mail and other e-mail communications sent to and from
> Cognizant e-mail addresses may be monitored.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list