[keycloak-user] Cross Realm authorization

david_christian.herrmann at daimler.com david_christian.herrmann at daimler.com
Fri Dec 14 02:32:15 EST 2018 

Hello,

we implemented a custom REST endpoint using RealmResourceProvider to search for users by their attributes. We then secured the endpoint by using:

AuthenticationManager.AuthResult authResult =
      authManager.authenticateBearerToken(session);

if (authResult == null) {
   throw new NotAuthorizedException("Bearer token required");
}

And


if(!auth.hasClientRole(client,"view-users")){
   throw new NotAuthorizedException("Necessary permission not available");
}

We now have the problem, that we want to access the endpoint with technical users which are in the master realm to separate them from the real end-users.

So the technical users get their access token from the master realm (which contains the necessary resource permissions for the user realm) and then access the endpoint in the user realm.

Here

AuthenticationManager.AuthResult authResult =
      authManager.authenticateBearerToken(session);

if (authResult == null) {
   throw new NotAuthorizedException("Bearer token required");
}

Always results in unauthorized.

Looking at the code and testing I think with authenticateBearerToken() cross realm authentication is not possible. Correct? Do you have a suggestion how to achieve our goal?

Mit freundlichen Grüßen / With kind regards



David Herrmann

RD/UIA
Team Rising Stars
[Computergenerierter Alternativtext: RDIU]

Daimler AG
HPC G464
70546 Stuttgart
Mobil: +49 176 309 369 87

What3Words Address:
ellbogen.sprüche.anfänge

E-Mail: david_christian.herrmann at daimler.com<mailto:david_christian.herrmann at daimler.com>


Daimler AG
Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial Register No. 19360
Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff
Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman),
Wolfgang Bernhard, Renata Jungo Brüngger, Ola Källenius, Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber


If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 4473 bytes
Desc: image003.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181214/7d03016e/attachment.jpg

More information about the keycloak-user mailing list