[keycloak-user] RestTemplate support for service account access

Scott Rossillo srossillo at smartling.com
Tue Jan 5 13:14:39 EST 2016


If you want the database service to redirect users to the login page, it must be changed to confidential. If the front end itself is a client of Keycloak, then leaving the service as bearer only is fine.

The example is obviously a bit contrived but the idea was that no user, even an admin, would authenticate directly to the database service. If there were to be an admin interface for the database, it would be another client in the same realm. Ultimately it’s a design decision you have to make when you consider what works well for your organization.

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com


 <http://www.sigstr.com/>
> On Jan 5, 2016, at 10:30 AM, Amaeztu <amaeztu at tesicnor.com> wrote:
> 
> Well, this example answers the asked question, so many thanks Scott. However, I still have some doubts.
> 
> In the given code, the database service can only be accessed from another client (bearer only). However, let's suppose I also want to have access to its endpoints from a Web browser, for pure administrative purpose and only with the ADMIN role. I should change the access to confidential. Then I want to access the service from the customer app, but, since the current user role might not be ADMIN, I wouldn't be authorized for the remote access.
> 
> The only solution I can think for this is to keep the database service access bearer only and implement a specific database-ui service, which should replicate all the original endpoints (this involves adding a new endpoint to the ui service everytime I do it in the db service).
> 
> Is there a way for solving this which avoids having an specific ui service implemented? Sorry about all questions I'm still a starter!
> 
> Nire Sony Xperia™ telefonotik bidalita
> 
> 
> 
> ---- Scott Rossillo igorleak idatzi du ----
> 
> Take a look at these Spring samples. It's set up automatically:
> 
> https://github.com/foo4u/keycloak-spring-demo/blob/master/customer-app/src/main/java/org/keycloak/example/spring/customer/service/RemoteCustomerService.java <https://github.com/foo4u/keycloak-spring-demo/blob/master/customer-app/src/main/java/org/keycloak/example/spring/customer/service/RemoteCustomerService.java>
> On Tue, Dec 29, 2015 at 12:31 PM Aritz Maeztu <amaeztu at tesicnor.com <mailto:amaeztu at tesicnor.com>> wrote:
> At this moment there's a KeycloakRestTemplate to use it in Spring which allows an end user to retrieve data from other keycloak clients. However, a client might also be interested in accessing data with its own permissions and with no user interaction. Is there any implementation of a RestTemplate to utilize client service accounts and, if not, are there any plans to write it? This demo  <https://github.com/keycloak/keycloak/blob/master/examples/demo-template/service-account/src/main/java/org/keycloak/example/ProductServiceAccountServlet.java>seems to do it manually.
> 
> Regards
> -- 
> Aritz Maeztu Otaño
> Departamento Desarrollo de Software	  <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>   <http://www.tesicnor.com/>	
> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
> Telf.: 948 21 40 40 
> Fax.: 948 21 40 41 
> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos. _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user><logo.png><logo.png><logo.png>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/289d41f4/attachment.html 


More information about the keycloak-user mailing list