[keycloak-user] How to access secured REST endpoint from keycloak-spring-security-adapter

Sebastien Blanc sblanc at redhat.com
Fri Dec 2 13:28:30 EST 2016 

On Fri, Dec 2, 2016 at 3:31 PM, Matt H <tsdgcc2087 at outlook.com> wrote:

> Where does the KeycloakDeployment come from?  I looked through the service
> account example that uses the method below, but it only shows how to get it
> from an HttpServlet which still comes from a user interaction.
>
I haven't tried it but in KeycloakWebSecurityConfigurerAdapter that you
probably subclass in your app to configure the security there is an
adapterDeploymentContext() method and from the returned context you can get
the KeycloakDeployment object.

>
> One idea could be to extend the KeycloakRestTemplate to allow for a flag
> to use service accounts then obtain a token for it.
>
>
> Another idea would be to have another class that could be autowired (I'm
> using Spring) that takes care of getting a service account access token,
> storing it, and refreshing it if it expires. It would need to read the
> keycloak.json (or the same properties that are set for it) to get the
> client and secret.
>
These are really great suggestions and will make sure to add them in the
ticket, thx.



>
>
> ------------------------------
> *From:* Sebastien Blanc <sblanc at redhat.com>
> *Sent:* Friday, December 2, 2016 1:04 AM
>
> *To:* Matt H
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] How to access secured REST endpoint from
> keycloak-spring-security-adapter
>
> There is one way you can leverage the adapter for this , is using this
> method :
>
> ClientCredentialsProviderUtils.setClientCredentials(deployment,
> reqHeaders, reqParams);
>
> This way, you don't have to worry about passing your credentials. But it's
> worth thinking on how we can enhance the developer experience in this area,
> if you have some ideas feels free to share them and I will also open a
> ticket to track this.
>
>
>
> On Thu, Dec 1, 2016 at 10:58 PM, Matt H <tsdgcc2087 at outlook.com> wrote:
>
>> Yes, I was looking at that guide.  I knew how to go to the keycloak token
>> endpoint and get a token.  I wasn't sure if this is the way it needed to be
>> done, or if It could be done through the provided adapters.
>>
>>
>> When the adapters are already being used, and it knows of your client and
>> secret already, it seemed like a lot of overhead to go out to keycloak some
>> other way and make sure that token is not expired (along with re-issuing a
>> token logic), then make the call.  If this is the required way, that's fine.
>>
>> ------------------------------
>> *From:* Sebastien Blanc <sblanc at redhat.com>
>> *Sent:* Thursday, December 1, 2016 3:45 PM
>> *To:* Matt H
>> *Cc:* keycloak-user at lists.jboss.org
>> *Subject:* Re: [keycloak-user] How to access secured REST endpoint from
>> keycloak-spring-security-adapter
>>
>> (including mailing list)
>>
>> On Thu, Dec 1, 2016 at 8:31 PM, Matt H <tsdgcc2087 at outlook.com> wrote:
>>
>>> I have a suite of spring applications that are using keycloak for
>>> authentication.  I'm using the Keycloak spring security adapter and have my
>>> successfully secured the endpoints that I want to.  I have situations where
>>> I need Application A to make a call to a secured endpoint on Application
>>> B.  I am able to do this client to client communication by using the
>>> KeycloakRestTemplate but only when a user calls Application A with a valid
>>> token.
>>>
>>>
>>> Application A also has a process that will call Application B without
>>> user interaction.  When this is done I get an error
>>> "java.lang.IllegalStateException: Cannot set authorization header
>>> because there is no authenticated principal".  This makes sense since I
>>> don't have a valid user token.
>>>
>>>
>>> Application A and Application B use the same client in keycloak and it
>>> is set to be a confidential client.  I have tried it with and without
>>> having service accounts enabled.
>>>
>> When you say "with service accounts enabled", have you followed all the
>> instructions from here https://keycloak.gitbooks.io/s
>> erver-adminstration-guide/content/topics/clients/oidc/servic
>> e-accounts.html , meaning also calling the
>> /{server-root-usualy-auth}/realms/{realm-name}/protocol/openid-connect/token
>> endpoint in order to retrieve a valid token ?
>>
>>>
>>>
>>> Some questions I have are:
>>>
>>> 1. How do I have applications (not users) call a secured REST endpoint?
>>>
>>> 2. Do the provided keycloak adapters (like the spring security adapter)
>>> provide this functionality?
>>>
>>> 3. Do I need an additional client account to do this?
>>>
>>> 4. Are there any libraries that handle refreshing these tokens or
>>> automatically obtaining one if it doesn't exist?
>>>
>>>
>>> I see lots of examples on how a user can access a secured service, but
>>> not much on an application accessing a secured service.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

More information about the keycloak-user mailing list