[keycloak-user] help with bearer + basic auth

John Casey jdcasey at commonjava.org
Tue Jul 14 15:23:46 EDT 2015


Well, when I use "enable-basic-auth" this works fine:

$ curl -u test -i http://localhost:8081/api/admin/remote
Enter host password for user 'test':
HTTP/1.1 200 OK
...

However, that configuration causes the UI use a 'code' query param and 
encounter 400 responses. In the keycloak server output I see:

19:19:07,524 WARN  [org.keycloak.events] (default task-7) 
type=REFRESH_TOKEN_ERROR, realmId=master, 
clientId=security-admin-console, userId=null, ipAddress=127.0.0.1, 
error=invalid_token

I'm looking through the code keycloak uses to supply an authentication 
mechanism to undertow now, to hopefully come with a way to handle basic 
auth...maybe through a wrapper auth mech around keycloak?

Do you have any samples / hints I might be able to follow? I'll admit, 
this is the first time I've had to look this closely at servlet/web auth 
mechanisms.


On 07/14/2015 11:16 AM, Bill Burke wrote:
> IIRC, the basic auth switch is so that you can send the token via basic
> auth rather than as bearer auth.  This is really only useful when you
> can't use a keycloak adapter, but can implement a LoginModule or
> something.  It has nothing to do with basic auth.
>
> On 7/14/2015 12:04 PM, John Casey wrote:
>> On 07/14/2015 10:49 AM, Juraci Paixão Kröhling wrote:
>>> On 07/14/2015 05:32 PM, John Casey wrote:
>>>> ...but it doesn't seem to have a javascript UI or anything using bearer
>>>> tokens to verify that it works that way.
>>>
>>> Not sure I understood your question, but removing the "bearer-only" and
>>> adding "enable-basic-auth" should be enough to have your server adapter
>>> to accept both bearer tokens and basic auth.
>>>
>>
>> This is exactly what I'm trying to do. I've tried removing "bearer-only"
>> and replaced it with "enable-basic-auth"...which has two effects:
>>
>> - basic auth via curl works (it didn't before the change)
>>
>> - the UI (using javascript adapter + bearer token) gets 400 Bad Request
>>
>>
>> Are you using the javascript adapter to login for your UI, passing the
>> bearer token to the server? I guess what I'm asking is if your
>> application actually uses both methods (basic auth and bearer token)?
>>
>> I'm not sure how to filter my realm json to pare out the unnecessary
>> stuff, but here's a gist containing the full file (it's on a test docker
>> container, so no worries about security):
>>
>> https://gist.github.com/jdcasey/3f934fcd4967b99ebb05
>>
>

-- 
John Casey
---
GitHub:  https://github.com/jdcasey/
Twitter: http://twitter.com/buildchimp


More information about the keycloak-user mailing list