[keycloak-user] help with bearer + basic auth

Wed Jul 15 13:05:52 EDT 2015

Looking at this more closely, it seems like it's related to the fact 
that I'm using a different domain for my keycloak server. I'm not sure 
why, but when I switch the server from "bearer-only" to 
"enable-basic-auth" I immediately see a 'code' query param start showing 
up in the URLs my UI uses. At the same time, I start seeing 'No state 
cookie' in the server output.

https://gist.github.com/jdcasey/b6254fb5813136ae8495

Knowing that cookies are tied to the domain in which they're created, 
could it be that redirecting to a different domain for keycloak 
authentication breaks the bearer auth to my REST server? If so, why 
would it (and the use of the 'code' query param) change when going from 
"bearer-only" -> "enable-basic-auth"?

I haven't set breakpoints and debugged this yet. It's not awesome that 
an app user can't determine enough from the (extensive) configuration 
guide to be able to do this without setting up a debugger...Do you have 
a FAQ / Troubleshooting area where these things can be logged so the 
next user doesn't have to spend days on this?

On 07/15/2015 10:56 AM, Juraci Paixão Kröhling wrote:
> It should *not* be needed. In Hawkular, we don't need to do anything
> extra to get the backend adapter to accept bearer tokens *and* basic
> authentication. I'd say that you are missing some configuration entry.
>
> I'd recommend putting a breakpoint on those places and then following
> the code:
>
> http://git.io/vml9j
> http://git.io/vmlXS
> http://git.io/vm3Qj
>
> - Juca.
>
> On 07/15/2015 05:17 PM, John Casey wrote:
>> Actually, that's where I started before I originally asked this list.
>>    From following the configuration examples there, and checking my realm
>> configuration against that in the example, I was only able to setup ONE
>> OR THE OTHER of the following cases (never both):
>>
>> - basic authentication worked on the REST server, when using curl as a
>> client
>>
>> - the UI worked, using a bearer token (the javascript adapter was doing
>> the actual sign-in)
>>
>> After taking Bill's advice to look at implementing another LoginModule,
>> I came up with this:
>>
>> http://bit.ly/1CH4kdU
>>
>> This actually satisfies both cases by doing the BASIC -> Bearer
>> translation on the server side, then passing it on to Keycloak's
>> authentication mechanisms...but I'm not sure it's the most elegant solution.
>>
>> On 07/15/2015 02:17 AM, Stian Thorgersen wrote:
>>> Have a look at basic-auth example, it's included in the examples dl.
>>>
>>> ----- Original Message -----
>>>> From: "John Casey" <jdcasey at commonjava.org>
>>>> To: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
>>>> Sent: Tuesday, 14 July, 2015 9:23:46 PM
>>>> Subject: Re: [keycloak-user] help with bearer + basic auth
>>>>
>>>> Well, when I use "enable-basic-auth" this works fine:
>>>>
>>>> $ curl -u test -i http://localhost:8081/api/admin/remote
>>>> Enter host password for user 'test':
>>>> HTTP/1.1 200 OK
>>>> ...
>>>>
>>>> However, that configuration causes the UI use a 'code' query param and
>>>> encounter 400 responses. In the keycloak server output I see:
>>>>
>>>> 19:19:07,524 WARN  [org.keycloak.events] (default task-7)
>>>> type=REFRESH_TOKEN_ERROR, realmId=master,
>>>> clientId=security-admin-console, userId=null, ipAddress=127.0.0.1,
>>>> error=invalid_token
>>>>
>>>> I'm looking through the code keycloak uses to supply an authentication
>>>> mechanism to undertow now, to hopefully come with a way to handle basic
>>>> auth...maybe through a wrapper auth mech around keycloak?
>>>>
>>>> Do you have any samples / hints I might be able to follow? I'll admit,
>>>> this is the first time I've had to look this closely at servlet/web auth
>>>> mechanisms.
>>>>
>>>>
>>>> On 07/14/2015 11:16 AM, Bill Burke wrote:
>>>>> IIRC, the basic auth switch is so that you can send the token via basic
>>>>> auth rather than as bearer auth.  This is really only useful when you
>>>>> can't use a keycloak adapter, but can implement a LoginModule or
>>>>> something.  It has nothing to do with basic auth.
>>>>>
>>>>> On 7/14/2015 12:04 PM, John Casey wrote:
>>>>>> On 07/14/2015 10:49 AM, Juraci Paixão Kröhling wrote:
>>>>>>> On 07/14/2015 05:32 PM, John Casey wrote:
>>>>>>>> ...but it doesn't seem to have a javascript UI or anything using bearer
>>>>>>>> tokens to verify that it works that way.
>>>>>>>
>>>>>>> Not sure I understood your question, but removing the "bearer-only" and
>>>>>>> adding "enable-basic-auth" should be enough to have your server adapter
>>>>>>> to accept both bearer tokens and basic auth.
>>>>>>>
>>>>>>
>>>>>> This is exactly what I'm trying to do. I've tried removing "bearer-only"
>>>>>> and replaced it with "enable-basic-auth"...which has two effects:
>>>>>>
>>>>>> - basic auth via curl works (it didn't before the change)
>>>>>>
>>>>>> - the UI (using javascript adapter + bearer token) gets 400 Bad Request
>>>>>>
>>>>>>
>>>>>> Are you using the javascript adapter to login for your UI, passing the
>>>>>> bearer token to the server? I guess what I'm asking is if your
>>>>>> application actually uses both methods (basic auth and bearer token)?
>>>>>>
>>>>>> I'm not sure how to filter my realm json to pare out the unnecessary
>>>>>> stuff, but here's a gist containing the full file (it's on a test docker
>>>>>> container, so no worries about security):
>>>>>>
>>>>>> https://gist.github.com/jdcasey/3f934fcd4967b99ebb05
>>>>>>
>>>>>
>>>>
>>>> --
>>>> John Casey
>>>> ---
>>>> GitHub:  https://github.com/jdcasey/
>>>> Twitter: http://twitter.com/buildchimp
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
John Casey
---
GitHub:  https://github.com/jdcasey/
Twitter: http://twitter.com/buildchimp