[keycloak-user] OAuth and achieving authorisation across apps - repost
Marek Posolda
mposolda at redhat.com
Fri Mar 18 04:59:15 EDT 2016
On 18/03/16 08:07, Simon Gordon wrote:
> [Repost]
>
> Hey all
>
> I feel compelled to ask another basic question of you, thanks in advance!
>
> Looking at the demos, in a basic OAuth2 scenario, the protected resource
> server (let's use the database-server within the demo-templates) is
> configured in keycloak.json as: {
> "realm" : "demo",
> "resource" : "database-service",
> "realm-public-key" :
> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
> "auth-server-url": "/auth",
> "bearer-only" : true,
> "ssl-required" : "external"
> }
>
> In the web.xml, the database-service is permitting only requests ('/*') to
> those clients that have been granted the 'user' role.
>
> In the design, this service is receiving bearer tokens only - so can I
> assume that the bearer token has the roles associated with the token
> encoded within the bearer token? (Plus the token is signed with the realm
> key)
Yes, the roles are available in the access token. The access token is
JWT and contains various claims (attributes) of user as well as roles.
The database service translates roles from the token to JEE roles, which
is done by our adapter.
Marek
>
> Or is there a back-channel conversation which I can't see in the
> configuration, maybe derived from 'auth-server-url'?
>
> Thank you for any thoughts!
>
> Regards,
>
> Simon
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list