[keycloak-user] [keycloak-dev] (no subject)

Luke Holmquist lholmqui at redhat.com
Fri Apr 29 14:44:46 EDT 2016


On Fri, Apr 29, 2016 at 2:23 PM, Sebastien Blanc <sblanc at redhat.com> wrote:

> Hi Luke !
>
>
> I might be wrong but I think I have the exact demo working of what you
> describe :
>
> 1. the standalone webapp client :
> https://github.com/sebastienblanc/devoxxfr/tree/master/angular-client ,
> you can run it with "grunt serve"
> 2. the nodejs service :
> https://github.com/sebastienblanc/devoxxfr/tree/master/nodejs-service ,
> run it with "npm start"
> 3. external keycloak server running
>
>
> I did not need to define any confidential client, the trick is to use
> "bearer-only" for the nodejs service, take a look at my sample realm :
> https://github.com/sebastienblanc/devoxxfr/blob/master/devoxxrealm.json
>
> i also see another realm file inside the nodejs-service directory,  is
that for something else.  looks like it would be if you were "logging in"
to the node server


> And sorry if I was completly aside what you meant.
>
> Sebi
>
>
> On Fri, Apr 29, 2016 at 7:09 PM, Luke Holmquist <lholmqui at redhat.com>
> wrote:
>
>> I have a use case, that i think could be pretty common,  but i'm not
>> entirely sure how to setup it up.
>>
>> The following is a little bit of a thought dump, so pardon me if i ramble
>> a little bit.
>>
>>
>> There are i think 3 components involved here:
>>
>> 1. a pure HTML/JS web app
>>
>> 2. A node.js REST  API server
>>
>> 3. Keycloak server
>>
>>
>> The app in this case, would not be served by the node server or the KC
>> server(wildfly), but with something like nginx(or even something like
>> 'python simpleHTTPServer')
>>
>> Basically the flow would be something like this[1]:
>>
>> The web app, using the js adapter, authenticates against the KC server.
>>
>>  Now the web app would like to call the node API server(a restricted
>> endpoint) to get some data
>>
>> The web app probably adds the token stuff that it got from KC during it;s
>> login to the request to the node server
>>
>> ***This next part is where i'm getting a little confused, i'm aware that
>> code to do this might not be written yet****
>>
>> I'm thinking the node server takes the token from the web app request,
>> and would hit an endpoint on the KC server to make sure that token is
>> valid.
>>
>> If things go ok, then node server returns the data.
>>
>> I've seen the recent post on doing token introspection and abstracj was
>> nice enough to make that into a gist,
>> https://gist.github.com/abstractj/4cd2231a472069d8b6f63b4008c74061
>>
>> but this would also mean the web client access_type would need to be
>> confidential(which i don't think is secure for a web app) to make a service
>> account that the node server could use to do the token introspection.
>>
>> I was thinking of maybe creating a client also for the node server, but
>> is it possible for 1 client to lookup/validate tokens from another client.
>>
>>
>> Perhaps i'm thinking about this all wrong too, which is very possible.
>>
>> In this example there is only 1 node api server,  but there could be
>> multiple node/go/rust/<insert cool kid tech here> servers too
>>
>>
>>
>> Any guidance would be appreciated and sorry for the ramble
>>
>> -Luke
>>
>>
>>
>>
>>
>>
>> [1]
>> https://docs.google.com/drawings/d/1BngijxAV2j0rjz18P0XcXeY9CClCg1mwQhROYQ2iWtU/edit
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160429/3354386f/attachment.html 


More information about the keycloak-user mailing list