[keycloak-user] How to access secured REST endpoint from keycloak-spring-security-adapter

Sebastien Blanc sblanc at redhat.com
Thu Dec 1 16:45:16 EST 2016


(including mailing list)

On Thu, Dec 1, 2016 at 8:31 PM, Matt H <tsdgcc2087 at outlook.com> wrote:

> I have a suite of spring applications that are using keycloak for
> authentication.  I'm using the Keycloak spring security adapter and have my
> successfully secured the endpoints that I want to.  I have situations where
> I need Application A to make a call to a secured endpoint on Application
> B.  I am able to do this client to client communication by using the
> KeycloakRestTemplate but only when a user calls Application A with a valid
> token.
>
>
> Application A also has a process that will call Application B without user
> interaction.  When this is done I get an error "java.lang.IllegalStateException:
> Cannot set authorization header because there is no authenticated
> principal".  This makes sense since I don't have a valid user token.
>
>
> Application A and Application B use the same client in keycloak and it is
> set to be a confidential client.  I have tried it with and without having
> service accounts enabled.
>
When you say "with service accounts enabled", have you followed all the
instructions from here https://keycloak.gitbooks.io/
server-adminstration-guide/content/topics/clients/oidc/service-accounts.html
, meaning also calling the  /{server-root-usualy-auth}/
realms/{realm-name}/protocol/openid-connect/token endpoint in order to
retrieve a valid token ?

>
>
> Some questions I have are:
>
> 1. How do I have applications (not users) call a secured REST endpoint?
>
> 2. Do the provided keycloak adapters (like the spring security adapter)
> provide this functionality?
>
> 3. Do I need an additional client account to do this?
>
> 4. Are there any libraries that handle refreshing these tokens or
> automatically obtaining one if it doesn't exist?
>
>
> I see lots of examples on how a user can access a secured service, but not
> much on an application accessing a secured service.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list