[keycloak-user] Keycloak Javascript Adapter - Advisable to be used for confidential clients?
Bruce Wings
testoauth55 at gmail.com
Mon Nov 12 00:16:35 EST 2018
The solution that worked for me was suggested by Jim Talbut <
jtalbut at spudsoft.co.uk>. He was unable to post on the mailing list, so
posting on his behalf.
You need to create a ScriptMapper because it lets you put multiple values,
so you can use that to overwrite the aud with both the desired values. In
below example, JettyApp is my confidential client and Webapp is public
client.
- Protocol: openid-connect
- Name: aud
- Mapper Type: Script Mapper
- Script: new java.util.ArrayList(["Jettyapp","Webapp"]);
- Multivalued: ON
- Token Claim Name: aud
- Claim JSON Type: String
On Sat, Nov 3, 2018 at 10:30 PM Bruce Wings <testoauth55 at gmail.com> wrote:
> Geoffrey,
>
> I was able to get the config right. I have received the aud:JettyApp in
> generated token also, but I still get 401:Unauthorized for the backend app.
> Anything else needs to be done?
>
> Token (Partial):
> "jti": "b7b07046-5417-40d6-9338-1851a0f5e1e5",
> "exp": 1541292863,
> "nbf": 0,
> "iat": 1541264063,
> "iss": "http://localhost:7200/auth/realms/MyRealm",
> *"aud": "JettyApp",*
> "sub": "c801fc43-e7d3-4229-869c-cef19d049389",
> "typ": "Bearer",
> "azp": "Webapps",
> "nonce": "3ec36116-c8a3-482c-828e-6458ad179270",
> "auth_time": 1541264063,
> "session_state": "0b40b785-6956-4234-bcb5-96ff8fdcb822",
> "acr": "1",
>
>
> [image: image.png]
>
> On Sat, Nov 3, 2018 at 10:11 PM Bruce Wings <testoauth55 at gmail.com> wrote:
>
>> Thanks Geoffrey,
>>
>> I believe this will solve my problem. However, I tried creating the
>> mapper, but maybe I missed something cause I am still getting 401 if I
>> login with front end.
>>
>> In the attached image, I have shared my config, can you give it a quick
>> look and confirm this is how it is supposed to be?
>>
>> Name of my backend client in keycloak JettyApp:
>>
>> I have created Token claim name as - clientId and value as JettyApp.
>>
>>
>> [image: image.png]
>>
>>
>> On Sat, Nov 3, 2018 at 1:36 PM Geoffrey Cleaves <geoff at opticks.io> wrote:
>>
>>> Bruce, here's how I fixed the issue you're describing. I think it's a
>>> unfortunate omission in the docs (which are generally quite good). You need
>>> to include the backend client ID in the front end clients aud claim.
>>>
>>> https://bitbucket.org/snippets/gcleaves/5ebB58/sso-keycloak
>>>
>>> On Sat, Nov 3, 2018, 01:45 Bruce Wings <testoauth55 at gmail.com wrote:
>>>
>>>> Thanks Eric for the reply.
>>>>
>>>> But If I use a separate public client for my angular app, I am not able
>>>> to
>>>> access my Rest Api with the generated token, that's why I had to use
>>>> confidential client Json that I used to secure my server. Any idea,
>>>> what is
>>>> the right approach in case of server client architecture?
>>>>
>>>> ( My project contains Rest Apis that I have secured with jetty adapter
>>>> and
>>>> confidential client ( as keycloak Authorization works only for
>>>> confidential
>>>> client and not public clients). My angular app is accessing these rest
>>>> api.
>>>> Therefore I used the same confidential client oidc Json in my angular
>>>> app
>>>> too. )
>>>>
>>>>
>>>>
>>>> On Friday, November 2, 2018, Eric Boyd Ramirez <
>>>> eric.ramirez.sv at gmail.com>
>>>> wrote:
>>>>
>>>> > Hi Bruce,
>>>> > I am fairly new to Keycloak myself, so I am giving my opinion in hopes
>>>> > some else can double check.
>>>> > The JS adapter is designed to work with Public clients, siting on the
>>>> the
>>>> > client side, the idea is that the a user/person would have to enter
>>>> his/her
>>>> > credentials to in order to login.
>>>> >
>>>> > Confidential clients generate an installation JSON or XML
>>>> configuration
>>>> > object which is meant to be installed on the server side/ Application
>>>> > server. The user accessing this application does not receive this
>>>> > configuration.
>>>> >
>>>> > Hope this helps.
>>>> >
>>>> > > On Nov 2, 2018, at 1:28 AM, Bruce Wings <testoauth55 at gmail.com>
>>>> wrote:
>>>> > >
>>>> > > I am referring to Keycloak Javascript adapter as mentioned in :
>>>> > > https://www.keycloak.org/docs/4.5/securing_apps/index.html#_
>>>> > javascript_adapter
>>>> > >
>>>> > > I have a confidential client and I have downloaded
>>>> keycloak-oidc.json
>>>> > > containing client secret. Now I am not sure how secure is it to
>>>> keep this
>>>> > > file containing client-secret at the client side.
>>>> > >
>>>> > > Am I being over concerned?
>>>> > > _______________________________________________
>>>> > > keycloak-user mailing list
>>>> > > keycloak-user at lists.jboss.org
>>>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> >
>>>> >
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 53646 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181112/b659d806/attachment-0002.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 57527 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181112/b659d806/attachment-0003.png
More information about the keycloak-user
mailing list