[keycloak-user] Multiple access types for a single Spring Boot application
Sebastien Blanc
sblanc at redhat.com
Wed Apr 26 14:04:17 EDT 2017
On Wed, Apr 26, 2017 at 7:23 PM, Jonathan D'Andries <
jonathandandries at gmail.com> wrote:
> Thank you Sebastien,
>
> This is SO close to a perfect solution. It appears that including "Accept:
> application/json" header allows the service to determine if bearer-only
> should be enabled based on well-known HTTP headers. Unfortunately, it still
> doesn't let me call the services via swagger without specifying the
> bearer-token explicitly. This is because swagger is calling the service as
> if it were a machine (by including the Accept header). In a perfect world,
> the auto-detect logic would allow me to use swagger to call the services as
> if it were a web browser even though it's including the headers that
> indicated it's a machine. My hope is that it would detect an existing
> session state that provides authentication/authorization info, and this
> would override the test for the HTTP headers.
>
> Here is how I would like "autodetect-bearer-only" to behave:
> - If you are accessing with a web browser and not specifying the detected
> headers, it works perfectly as-is. In this case, the user is redirected to
> a login page, and future access is authenticated with a session cookie.
> However,
> - If you are specifying the headers that indicate you are a machine (even
> if still in a web browser session), then the service will only
> authentication with the "Authentication: bearer ..." header. What I want is
> for this option to respect the session state if it happens to exist.
>
> I'm worried that I may be asking for a code change in the way the
> autodetect logic works. Instead of just looking for the typical headers
> "X-Requested-With, SOAPAction or Accept," could it also check if the user
> is already logged in with existing session state?
>
We have at least another use case where this would be needed (JSF app
making Ajax requests) and where the session state should be honored inside
a bearer-only request. So I think I will open a ticket for this
specifically so we can start planning and discussing around this
enhancement.
Unfortunately until then I don't see a real workaround for this.
>
>
> Is there a way to make this work? Or perhaps there is a reason this is a
> bad idea?
>
>
> Thanks,
>
> Jonathan
>
>
>
> On Wed, Apr 26, 2017 at 11:32 AM, Sebastien Blanc <sblanc at redhat.com>
> wrote:
>
>> Don't make your client "bearer-only" and instead in your config add :
>> "autodetect-bearer-only" : true
>>
>> That should solve your issue.
>>
>>
>>
>> On Wed, Apr 26, 2017 at 6:13 PM, Jonathan D'Andries <
>> jonathandandries at gmail.com> wrote:
>>
>>> Here is what I want to do:
>>>
>>> I have built REST services in Spring Boot. For the services themselves, I
>>> want to use "bearer-only" access type so that applications are NOT
>>> redirected to a login page if unauthenticated.
>>>
>>> However, I want the generated swagger documentation to use the
>>> "confidential" access type so that swagger-ui.html redirects the
>>> user/browser to a login page and capture the token that will then be
>>> passed
>>> to the services when testing things out.
>>>
>>> It seems like the best way to accomplish this is with two clients similar
>>> to the demo here:
>>>
>>> http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>> ak-securing.html
>>>
>>> My concern is that having two client configurations in my spring boot
>>> application.yml doesn't seem possible - am I missing something? I am
>>> aware
>>> of the multi-tenant options for Keycloak, but I don't actually want two
>>> different realms:
>>>
>>> https://keycloak.gitbooks.io/documentation/securing_apps/top
>>> ics/oidc/java/multi-tenancy.html
>>>
>>> For whatever configuration I come up with, I want the user's token to
>>> apply
>>> to both the swagger-ui and the services, but with two different access
>>> types.
>>>
>>> Here are some things I've learned so far:
>>>
>>> I'm aware that swagger-ui offers an option to authenticate it's services
>>> with a token. There are two limitations of this approach:
>>> 1. With springfox generated swagger, it doesn't seem to work. I'd have
>>> to
>>> put a lot of effort to fix this, and I'd rather not because
>>> 2. You would still need to get a token from somewhere, and that means
>>> pointing users to another login page that isn't automatically prompted
>>> when
>>> you go to swagger-ui. It just seems like a more annoying user experience
>>> to
>>> have to take extra steps to generate a token and then paste that into
>>> swagger-ui.
>>>
>>> I'm also aware that my spring boot configuration can be more restrictive
>>> than the keycloak client configuration. In other words, I can restrict to
>>> bearer-only in my service even if the client is configured for
>>> confidential
>>> access type. If there is a way for different values for
>>> keycloak.bearer-only based on URL pattern in the
>>> keycloak-spring-boot-adapter, this could be a real option.
>>>
>>>
>>> Thanks for any help/advice you may have.
>>>
>>> Jonathan
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
More information about the keycloak-user
mailing list