[keycloak-user] Securing rest api with keycloak without cookie

Sebastien Blanc sblanc at redhat.com
Fri Mar 2 04:09:00 EST 2018


On Thu, Mar 1, 2018 at 9:42 PM, Rudolf Jurišić <rudolf.jurisic at degordian.com
> wrote:

> Hi guys!
>
> I am building a nodejs restify app.
> I want to protect my endpoints, but to use the login programatically.
>
> I used the example from
> https://github.com/v-ladynev/keycloak-nodejs-example/blob/master/app.js
>
> I make a request to the server
> http://localhost:3000/login?login=admin_user&password=
> admin_user&client_id=CAMPAIGN_CLIENT
>
> and get a response with tokens.
> {
>     "access_token": {
>         "token": "eyJhbGciOiJSUzI1NiIs...
>
> With this token I then make a request with Authorization header bearer plus
> token to a keycloak.protected endpoint.
>
> If I do it with cookie, everythig works fine.
>
> Can I do it without cookie (for example from postman), just by using the
> token in every request I make on the protected endpoints?
>
yes

>
> And more importantly, is this a good flow and can it work like this:
> 1. obtain tokens
> 2. use bearer with the access token for every request to protected
> endpoints
>
Yes this is the basic flow of a Front End obtaining the token (through
redirect or programatically like you do) and using it against a bearer-only
backend.

>
> ?
>
> Thanks
>
>
> --
> *RUDOLF JURIŠIĆ*
>  #SENIOR_SOFTWARE_DEVELOPER
> rudolf.jurisic at degordian.com
> +385 99 2737 781
>
> www.degordian.com
> <http://www.degordian.com/?utm_source=signature&utm_
> medium=email&utm_content=rudolf.jurisic&utm_campaign=_d_email%20signature>
> www.facebook.com/Degordian
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list