[keycloak-user] Securing Angular + REST based app using keycloak OIDC

Pulkit Gupta pulgupta at redhat.com
Tue May 30 05:23:17 EDT 2017


Hi All,

We are looking to integrate an application with Keycloak.
It is an Angular + REST application in which the REST services are
developed in Java and are running on EAP 6.

>From my reading I can figure out that we should secure both the front end
and the back end separately.

The Angular front-end can be secured using JavaScript adapter which will
check if a user has access token and in case not it will redirect it to
Keycloak. Once the user acquires an access token , it send the same token
to the REST services. We can configure REST service as a bearer only client
which will check for the validity of the token against Keycloak and return
the business data. We can use EAP 6 OIDC java adapter for Keycloak to
secure the REST part.

However their is one limitation that our setup only supports implicit flow.
I am sure with Implicit flow we can achieve the angular side of the
authentication. However I am not sure if we can make use of the Java OIDC
adapter to actually validate and secure our rest APIs.

Can you please guide me in case this is achievable with implicit flow.

Regards,
Pulkit


More information about the keycloak-user mailing list