[keycloak-user] Multiple access types for a single Spring Boot application

Sebastien Blanc sblanc at redhat.com
Wed Apr 26 12:32:30 EDT 2017 

Don't make your client "bearer-only" and instead in your config add :
"autodetect-bearer-only" : true

That should solve your issue.



On Wed, Apr 26, 2017 at 6:13 PM, Jonathan D'Andries <
jonathandandries at gmail.com> wrote:

> Here is what I want to do:
>
> I have built REST services in Spring Boot. For the services themselves, I
> want to use "bearer-only" access type so that applications are NOT
> redirected to a login page if unauthenticated.
>
> However, I want the generated swagger documentation to use the
> "confidential" access type so that swagger-ui.html redirects the
> user/browser to a login page and capture the token that will then be passed
> to the services when testing things out.
>
> It seems like the best way to accomplish this is with two clients similar
> to the demo here:
>
> http://blog.keycloak.org/2015/10/getting-started-with-
> keycloak-securing.html
>
> My concern is that having two client configurations in my spring boot
> application.yml doesn't seem possible - am I missing something? I am aware
> of the multi-tenant options for Keycloak, but I don't actually want two
> different realms:
>
> https://keycloak.gitbooks.io/documentation/securing_apps/
> topics/oidc/java/multi-tenancy.html
>
> For whatever configuration I come up with, I want the user's token to apply
> to both the swagger-ui and the services, but with two different access
> types.
>
> Here are some things I've learned so far:
>
> I'm aware that swagger-ui offers an option to authenticate it's services
> with a token. There are two limitations of this approach:
>  1. With springfox generated swagger, it doesn't seem to work. I'd have to
> put a lot of effort to fix this, and I'd rather not because
>  2. You would still need to get a token from somewhere, and that means
> pointing users to another login page that isn't automatically prompted when
> you go to swagger-ui. It just seems like a more annoying user experience to
> have to take extra steps to generate a token and then paste that into
> swagger-ui.
>
> I'm also aware that my spring boot configuration can be more restrictive
> than the keycloak client configuration. In other words, I can restrict to
> bearer-only in my service even if the client is configured for confidential
> access type. If there is a way for different values for
> keycloak.bearer-only based on URL pattern in the
> keycloak-spring-boot-adapter, this could be a real option.
>
>
> Thanks for any help/advice you may have.
>
> Jonathan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list