[keycloak-user] OAuth and achieving authorisation across apps - repost
Simon Gordon
dev at sgordon.totalise.co.uk
Fri Mar 18 03:07:27 EDT 2016
[Repost]
Hey all
I feel compelled to ask another basic question of you, thanks in advance!
Looking at the demos, in a basic OAuth2 scenario, the protected resource
server (let's use the database-server within the demo-templates) is
configured in keycloak.json as: {
"realm" : "demo",
"resource" : "database-service",
"realm-public-key" :
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
"auth-server-url": "/auth",
"bearer-only" : true,
"ssl-required" : "external"
}
In the web.xml, the database-service is permitting only requests ('/*') to
those clients that have been granted the 'user' role.
In the design, this service is receiving bearer tokens only - so can I
assume that the bearer token has the roles associated with the token
encoded within the bearer token? (Plus the token is signed with the realm
key)
Or is there a back-channel conversation which I can't see in the
configuration, maybe derived from 'auth-server-url'?
Thank you for any thoughts!
Regards,
Simon
More information about the keycloak-user
mailing list