[keycloak-user] Setting up webapplication to accept both bearer and openid redirect login
David Delbecq
david_delbecq at trimble.com
Thu Dec 29 11:11:46 EST 2016
I have a wildlfy application where i need this behaviour:
1) If user provides a token during request and try to access a secure area,
use it (typically soap ant rest requests)
2) If user has no credentials to show, issue interactive web login
So far I managed to get either 1) or 2) on the application, depending on
using bearer-only accesstype or not. But i can't seem to find out how to
have both behaviour. Below is json export of my current realm config. I am
currently doing this in wildfly
<secure-deployment name="shipping.war">
<realm>Shipping</realm>
<auth-server-url>${authURL}</auth-server-url>
<public-client>true</public-client>
<ssl-required>EXTERNAL</ssl-required>
<resource>shipping-soap</resource>
<use-resource-role-mappings>true</use-resource-role-mappings>
</secure-deployment>
using this code to get a token from the WS client
Keycloak keycloak =
Keycloak.getInstance(System.getProperty("keycloak.url"), "Shipping",
username, password, "shipping-soap");
customHeaders.put("Authorization", Arrays.asList("Bearer:
"+keycloak.tokenManager().getAccessTokenString()));
but when i issue the ws request, i get a redirect to keycloak (see below).
I suspect i misunderstood some parts of the keycloak configuration and it's
behaviour, but i am not sure what i did wrong. Can somebody explain me how
to integrate both webservice and webpages with a single client id?
POST /shipping/service/1.0/shipping HTTP/1.1
Content-Type: text/xml; charset=UTF-8
Accept: */*
Authorization: Bearer:
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZNjlCMm1aT2NuX0tnMTVEVC03MU5tUTNVN3NhdG1BLTJsc3BCM2VNRFNRIn0.eyJqdGkiOiI2ZGRmMjMxYy01YjY4LTQ4MDUtOWU4YS0zNWQ5YjQ2YzYwZDciLCJleHAiOjE0ODMwMjY0NzQsIm5iZiI6MCwiaWF0IjoxNDgzMDI2MTc0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjEzMDgwL2F1dGgvcmVhbG1zL1NoaXBwaW5nIiwiYXVkIjoic2hpcHBpbmctc29hcCIsInN1YiI6ImZiNjJlN2Y2LTIzMjAtNDc5YS04NTEwLWM4OTg0MzZiZmJlMSIsInR5cCI6IkJlYXJlciIsImF6cCI6InNoaXBwaW5nLXNvYXAiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiJkMWFhMTE1OS00Y2JiLTRkMDItOTcxNC0zNGQwMWJjZjYwYWYiLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiJmZWZkODg3Ni1lZWUyLTRiOWYtOWNkZS1kZGZhNWZkZjAyNjEiLCJhbGxvd2VkLW9yaWdpbnMiOltdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJzaGlwcGluZy1zb2FwIjp7InJvbGVzIjpbImF1dGhlbnRpY2F0ZWQiLCJST0xFX2F1dGhlbnRpY2F0ZWQiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibG9naW5AbHNwNCJ9.d_mRQaUIrxW0poRS3cxZt37IWoRusLKq5OG9_zSd5YAjzQS1sRZgHEvK7yF1aQy_kqebrN4xT67QVYCwqMZzsjIYC0_QBGm6vddCgFXuPLADjVXZJ5UHwHig7aoLRWB511AvpFwCQQuTkYaWD7neGKh4TWOqAkMqTvhzUZPD1GrxyzdBTqCQEKlWgkvBUousKoYd6x4Ua6ofbFgYi5H-1GlSXCHVyqXv3zlDwujhtiZWoAWdoKgEDkQ_dV4SZFZFigGwwYwqKViXm0HIQMOT9QwkN_Yjrhc5eeOgeOKr_YxQ_GkIjPuD4-5C-oM4tp8ikMC-kqsPmaXstlZTM3z5kA
SOAPAction: ""
User-Agent: Apache CXF 3.0.5
Cache-Control: no-cache
Pragma: no-cache
Host: localhost:18080
Connection: keep-alive
Content-Length: 1784
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ns2:createShipments
xmlns:ns2="urn:trimbletl:eshipco:shipping:1_0"><ShipmentData><id>shipmentid</id><type>full-truckload</type><freightCarryingUnitType>none</freightCarryingUnitType><freightCarryingUnitSubType>box-dry-van</freightCarryingUnitSubType><freightCarryingUnitDimension>standard</freightCarryingUnitDimension><cargoType>break-bulk</cargoType><name>shipment
name</name><consignor><id>consignorid</id><name>consignor
name</name><address><street>street1</street><number>1</number><city>city1</city><zipcode>zipcode1</zipcode><area>area1</area><country>AE</country></address><coordinate><latitude>1</latitude><longitude>2</longitude></coordinate><contact><name>name1</name><company>company1</company><phone>phone1</phone></contact><timewindow><startTime>1970-01-01T01:00:01+01:00</startTime><endTime>1970-01-01T01:00:02+01:00</endTime></timewindow></consignor><consignee><id>consigneeid</id><name>consignee
name</name><address><street>street3</street><number>3</number><city>city3</city><zipcode>zipcode3</zipcode><area>area3</area><country>AG</country></address><coordinate><latitude>3</latitude><longitude>4</longitude></coordinate><contact><name>name3</name><company>company3</company><phone>phone3</phone></contact><timewindow><startTime>1970-01-01T01:00:03+01:00</startTime><endTime>1970-01-01T01:00:04+01:00</endTime></timewindow></consignee><goods><id>box</id><amount>1</amount><volume>100.0</volume><weight>1000.0</weight><loadingMeter>10.0</loadingMeter><length>6</length><width>4</width><height>5</height><ref>testref</ref><desc>some
description</desc></goods><property><key>type.goods</key><value>1000</value></property></ShipmentData></ns2:createShipments></soap:Body></soap:Envelope>HTTP/1.1
302 Found
Expires: 0
Cache-Control: no-cache, no-store, must-revalidate
X-Powered-By: Undertow/1
Set-Cookie:
JSESSIONID=9XhPxotKq3r_uuhaVAya8iavBVSyqQ9Ibf1h2Emu.ddelbecq-precision;
path=/shipping
Set-Cookie:
OAuth_Token_Request_State=916/8084d5f9-fd05-4267-9d72-026acf016857; HttpOnly
Server: WildFly/9
Pragma: no-cache
Location:
http://localhost:13080/auth/realms/Shipping/protocol/openid-connect/auth?response_type=code&client_id=shipping-soap&redirect_uri=http%3A%2F%2Flocalhost%3A18080%2Fshipping%2Fservice%2F1.0%2Fshipping&state=916%2F8084d5f9-fd05-4267-9d72-026acf016857&login=true&scope=openid
Date: Thu, 29 Dec 2016 15:43:16 GMT
Connection: keep-alive
Content-Length: 0
{
"id" : "c3558938-fa2a-43c6-8de0-17d6ebbe9750",
"clientId" : "shipping-soap",
"description" : "Workbench, Adminbench and Administration",
"rootUrl" : "http://localhost:8080/",
"adminUrl" : "/shipping",
"baseUrl" : "/shipping",
"surrogateAuthRequired" : false,
"enabled" : true,
"clientAuthenticatorType" : "client-secret",
"secret" : "b556a2b8-bb1d-478e-97a0-14105556427f",
"defaultRoles" : [ "authenticated", "ROLE_authenticated" ],
"redirectUris" : [ "http://localhost:8080/shipping/*" ],
"webOrigins" : [ ],
"notBefore" : 0,
"bearerOnly" : false,
"consentRequired" : false,
"standardFlowEnabled" : true,
"implicitFlowEnabled" : false,
"directAccessGrantsEnabled" : true,
"serviceAccountsEnabled" : false,
"publicClient" : true,
"frontchannelLogout" : false,
"protocol" : "openid-connect",
"attributes" : {
"saml.assertion.signature" : "false",
"saml.force.post.binding" : "false",
"saml.multivalued.roles" : "false",
"saml.encrypt" : "false",
"saml_force_name_id_format" : "false",
"saml.client.signature" : "false",
"saml.authnstatement" : "false",
"saml.server.signature" : "false"
},
"fullScopeAllowed" : true,
"nodeReRegistrationTimeout" : -1,
"protocolMappers" : [ {
"id" : "b2eb4fed-68e3-4064-b0a8-f5926696a99f",
"name" : "username",
"protocol" : "openid-connect",
"protocolMapper" : "oidc-usermodel-property-mapper",
"consentRequired" : true,
"consentText" : "${username}",
"config" : {
"userinfo.token.claim" : "true",
"user.attribute" : "username",
"id.token.claim" : "true",
"access.token.claim" : "true",
"claim.name" : "preferred_username",
"jsonType.label" : "String"
}
}, {
"id" : "1b943ce9-b67b-4ce5-a5d8-3d795900555b",
"name" : "locale",
"protocol" : "openid-connect",
"protocolMapper" : "oidc-usermodel-attribute-mapper",
"consentRequired" : false,
"consentText" : "${locale}",
"config" : {
"userinfo.token.claim" : "true",
"user.attribute" : "locale",
"id.token.claim" : "true",
"access.token.claim" : "true",
"claim.name" : "locale",
"jsonType.label" : "String"
}
}, {
"id" : "f14bc53c-1d7b-480d-b2da-72b1e47e7f1e",
"name" : "email",
"protocol" : "openid-connect",
"protocolMapper" : "oidc-usermodel-property-mapper",
"consentRequired" : true,
"consentText" : "${email}",
"config" : {
"userinfo.token.claim" : "true",
"user.attribute" : "email",
"id.token.claim" : "true",
"access.token.claim" : "true",
"claim.name" : "email",
"jsonType.label" : "String"
}
}, {
"id" : "5429c06f-8b9b-4b33-bbb3-015117922910",
"name" : "role list",
"protocol" : "saml",
"protocolMapper" : "saml-role-list-mapper",
"consentRequired" : false,
"config" : {
"single" : "false",
"attribute.nameformat" : "Basic",
"attribute.name" : "Role"
}
}, {
"id" : "95315e0e-1136-4e06-9f04-8ccbb29d2c70",
"name" : "family name",
"protocol" : "openid-connect",
"protocolMapper" : "oidc-usermodel-property-mapper",
"consentRequired" : true,
"consentText" : "${familyName}",
"config" : {
"userinfo.token.claim" : "true",
"user.attribute" : "lastName",
"id.token.claim" : "true",
"access.token.claim" : "true",
"claim.name" : "family_name",
"jsonType.label" : "String"
}
}, {
"id" : "a371b53c-5543-4188-a16f-005db9a73d7a",
"name" : "full name",
"protocol" : "openid-connect",
"protocolMapper" : "oidc-full-name-mapper",
"consentRequired" : true,
"consentText" : "${fullName}",
"config" : {
"id.token.claim" : "true",
"access.token.claim" : "true"
}
}, {
"id" : "e3ca3001-3f19-4654-b84c-7a352306cad1",
"name" : "given name",
"protocol" : "openid-connect",
"protocolMapper" : "oidc-usermodel-property-mapper",
"consentRequired" : true,
"consentText" : "${givenName}",
"config" : {
"userinfo.token.claim" : "true",
"user.attribute" : "firstName",
"id.token.claim" : "true",
"access.token.claim" : "true",
"claim.name" : "given_name",
"jsonType.label" : "String"
}
} ],
"useTemplateConfig" : false,
"useTemplateScope" : false,
"useTemplateMappers" : false
}
--
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq at trimbletl.com
<http://www.trimbletl.com/>
More information about the keycloak-user
mailing list