[keycloak-user] Rest endpoint and AngularJS client

Mohan.Radhakrishnan at cognizant.com Mohan.Radhakrishnan at cognizant.com
Mon Feb 2 09:07:24 EST 2015 

We do have WebSeal backed by Tivoli in our legacy application. The new REST endpoints are built on top of the legacy EJB application. It is not an entirely new application. Slowly the HTML5/Rest layers will replace the legacy system.

There could be others in the forum who have this setup. Any initial pointers ?

Thanks,
Mohan

-----Original Message-----
From: Stian Thorgersen [mailto:stian at redhat.com]
Sent: Monday, February 02, 2015 1:43 PM
To: Radhakrishnan, Mohan (Cognizant)
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Rest endpoint and AngularJS client



----- Original Message -----
> From: "Mohan Radhakrishnan" <Mohan.Radhakrishnan at cognizant.com>
> To: keycloak-user at lists.jboss.org
> Sent: Saturday, 31 January, 2015 1:42:39 PM
> Subject: [keycloak-user] Rest endpoint and AngularJS client
>
>
>
> Hi,
>
> This is my first post. We have a large HealthCare domain Rest
> application with an AngularJS client. We may require role-based access
> control of HTML views. We can consult LDAP to get these. But due to
> some internal reasons we are not going to use OAuth now. It may be a future enhancement.
>
>
>
> Are these types of HTML5/JS applications still protected effectively
> based on roles ? I wanted to know before I start reading more about
> Keycloak because OAuth is not used now.

An HTML5/JS application doesn't have any access control. All it can do is hide features a user can't access. The access control has to be done on the REST endpoints. This is a perfect fit for OpenID Connect.

When you login to Keycloak your app is given a token, that includes the roles the user can access. These can then be used by the AngularJS app to enable/disable features. When invoking REST endpoints the token is passed along, which then allows the REST endpoints to verify if the user has access to the requested resource or not.

In summary Keycloak and OpenID Connect are perfect fits for the type of application you're doing.

>
>
>
>
>
>
>
> Thanks,
>
> Mohan
> This e-mail and any files transmitted with it are for the sole use of
> the intended recipient(s) and may contain confidential and privileged
> information. If you are not the intended recipient(s), please reply to
> the sender and destroy all copies of the original message. Any
> unauthorized review, use, disclosure, dissemination, forwarding,
> printing or copying of this email, and/or any action taken in reliance
> on the contents of this e-mail is strictly prohibited and may be
> unlawful. Where permitted by applicable law, this e-mail and other
> e-mail communications sent to and from Cognizant e-mail addresses may be monitored.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.

More information about the keycloak-user mailing list