[keycloak-user] help with bearer + basic auth

[John Casey]

So, I've gone back to using this basic-auth translator to inject a 
bearer token, after wrestling with it for a couple of days. It's 
probably wrong (there's probably some way to do what I need to with 
enable-basic-auth) but I'm out of time for now. I've marked the code 
with some notes about the problems I'm seeing trying to do it the right 
way...

What I'm wondering now is if it'd be a massive security problem if I 
injected a RESPONSE header with the token in it when the basic-auth 
translator runs. This would enable my java client api to use basic auth 
then save the bearer token and use that for future calls. It might save 
a little bit in backend round-trips to the keycloak server.

But I don't want to open up a gaping security hole...

Thanks,

-john

-- 
John Casey
---
GitHub:  https://github.com/jdcasey/
Twitter: http://twitter.com/buildchimp