[keycloak-user] RestTemplate support for service account access

Aritz Maeztu amaeztu at tesicnor.com
Mon Jan 11 03:51:47 EST 2016 

OK, many thanks Scott!

05/01/2016 19:14(e)an, Scott Rossillo igorleak idatzi zuen:
> If you want the database service to redirect users to the login page, 
> it must be changed to confidential. If the front end itself is a 
> client of Keycloak, then leaving the service as bearer only is fine.
>
> The example is obviously a bit contrived but the idea was that no 
> user, even an admin, would authenticate directly to the database 
> service. If there were to be an admin interface for the database, it 
> would be another client in the same realm. Ultimately it’s a design 
> decision you have to make when you consider what works well for your 
> organization.
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
>
>
> Powered by Sigstr <http://www.sigstr.com/>
>
>> On Jan 5, 2016, at 10:30 AM, Amaeztu <amaeztu at tesicnor.com 
>> <mailto:amaeztu at tesicnor.com>> wrote:
>>
>> Well, this example answers the asked question, so many thanks Scott. 
>> However, I still have some doubts.
>>
>> In the given code, the database service can only be accessed from 
>> another client (bearer only). However, let's suppose I also want to 
>> have access to its endpoints from a Web browser, for pure 
>> administrative purpose and only with the ADMIN role. I should change 
>> the access to confidential. Then I want to access the service from 
>> the customer app, but, since the current user role might not be 
>> ADMIN, I wouldn't be authorized for the remote access.
>>
>> The only solution I can think for this is to keep the database 
>> service access bearer only and implement a specific database-ui 
>> service, which should replicate all the original endpoints (this 
>> involves adding a new endpoint to the ui service everytime I do it in 
>> the db service).
>>
>> Is there a way for solving this which avoids having an specific ui 
>> service implemented? Sorry about all questions I'm still a starter!
>>
>> Nire Sony Xperia™ telefonotik bidalita
>>
>>
>>
>> ---- Scott Rossillo igorleak idatzi du ----
>>
>> Take a look at these Spring samples. It's set up automatically:
>>
>> https://github.com/foo4u/keycloak-spring-demo/blob/master/customer-app/src/main/java/org/keycloak/example/spring/customer/service/RemoteCustomerService.java
>> On Tue, Dec 29, 2015 at 12:31 PM Aritz Maeztu <amaeztu at tesicnor.com 
>> <mailto:amaeztu at tesicnor.com>> wrote:
>>
>>     At this moment there's a KeycloakRestTemplate to use it in Spring
>>     which allows an end user to retrieve data from other keycloak
>>     clients. However, a client might also be interested in accessing
>>     data with its own permissions and with no user interaction. Is
>>     there any implementation of a RestTemplate to utilize client
>>     service accounts and, if not, are there any plans to write it?
>>     This demo
>>     <https://github.com/keycloak/keycloak/blob/master/examples/demo-template/service-account/src/main/java/org/keycloak/example/ProductServiceAccountServlet.java>seems
>>     to do it manually.
>>
>>     Regards
>>     -- 
>>     Aritz Maeztu Otaño
>>     Departamento Desarrollo de Software
>>     <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>     <http://www.tesicnor.com/>
>>     	
>>
>>     Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
>>     Telf.: 948 21 40 40
>>     Fax.: 948 21 40 41
>>
>>     Antes de imprimir este e-mail piense bien si es necesario
>>     hacerlo: El medioambiente es cosa de todos.
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> <logo.png><logo.png><logo.png>
>

-- 
Aritz Maeztu Otaño
Departamento Desarrollo de Software 
<https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
<http://www.tesicnor.com> 	

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf.: 948 21 40 40
Fax.: 948 21 40 41

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El 
medioambiente es cosa de todos.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/8a09cadd/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linkdin.gif
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/8a09cadd/attachment-0001.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.png
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/8a09cadd/attachment-0001.png

More information about the keycloak-user mailing list