[keycloak-user] How Basic Authentication is implemented for Java adapters?

[Michael Furman]

Hi,
We need to implement authentication for our REST APIs.
The issue is not simple since same APIs used for UI and for the CLI clients.
CLI clients access REST API using Basic Authentication.
For UI we want to access REST APIs after OIDC authentication.
Therefore we need to achieve the following:

  *   If a request comes without any authentication the server should respond with HTTP 401.
  *   If a request comes with the Basic Authentication header it is authenticated.
  *   If a request comes with Keycloak cookies it is authenticated (and HTTP 401 is not appear).
Is it possible to do it?
I will happy to clarify how Basic Authentication is implemented for Keycloak Java adapters.
I found the enable-basic-auth configuration here:
https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/java-adapter-config.html
Java Adapters Config | Securing Applications and Services ...<https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/java-adapter-config.html>
keycloak.gitbooks.io
Each Java adapter supported by Keycloak can be configured by a simple JSON file. This is what one might look like: {


<https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/java-adapter-config.html>
Questions:

  1.  Will Keycloak Java adapter prompt with HTTP 401 if a request without any authentication?
(we can not allow OIDC redirection in this case)
  2.  What happens a request comes with Basic Authentication header it is authenticated?
How Keycloak Java adapter validates the user name and password?

  3.  What happens a request comes with Keycloak cookies?


Best regards,
   Michael