I currently have two APIs with their confidential clients on keycloak.
So:
API1 - client1
API2 - client2
I don't know if I'm looking in the right way, but I want to protect an endpoint of my API2 for use it from my API1. Can I get a token relative to client1 and use it as another user token? Or do I need another authentication process?
Thank you!
Related
I am using Keycloak 17.0 with
keycloak.profile.feature.admin_fine_grained_authz=enabled
keycloak.profile.feature.token_exchange=enabled
The issue: I need to provide refresh token for a client on behalf of already authenticated confidential service account client. I need something very close to internal to internal token exchange like it's described here. The only thing is that I need to make a token exchange call without subject_token parameter. Is it possible to have a client that will provide tokens for another internal clients without their authentication/tokens?
I'm googling since long and i'm bit confused now should i create Custom iDP or Authentication provider in Keycloak.
Below is my requirements.
I have multiple clients and each client having login API which also returns JWT token on successful login so what business needs is that when user try to login i want keycloack to consume client API to Authenticate User and once user successfully authenticated by Client API Keycloack should generate token for further operations.
One more problem is can i use same token return from client as Keycloack token because there are some apis on client side which decode token and use some info from token.
Please suggest and i'm bit stressed to looking for different solution and couldn't help. I will be grateful if you can share sample code with it.
What do you mean by "I have multiple clients and each client having login API" (does that mean different endpoints secured by different realms?? I supose that's not what you want).
What you mention here:
"what business needs is that when user try to login i want keycloack to consume client API to Authenticate User and once user successfully authenticated by Client API Keycloack should generate token for further operations."
that is indeed the standard behaviour of Keycloak, why do you need a custom Authentication (user federated Authentication/ identity Provider)? You haven't made clear from the description of your problem, why do you need a custom Identity Provider SPI /custom Authentication federation? If you really need an Authentication SPI, please read chapter 8 from here:
https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi
that's the best documentation on that topic. Are you authenticating against a custom Auth service of your company that doesn't support openid connect? If not, then you don't need a custom Authentication SPI.
regarding:
"can i use same token return from client as Keycloack token because there are some apis on client side which decode token and use some info from token."
I don't know exactly what you mean there, but depending on your client adapter there are slight variations on the way you get/extract a bearer token & secure your endpoints in general. Plase read chapter 3.1 from here: https://www.keycloak.org/docs/latest/securing_apps/index.html#_client_registration
There you'll find base implementations/suggestions for the different client adapters, or at least should move you forward in your search.
Hope it helps.
I'm evaluating whether to use Ionic's cloud Auth service and it seems like it's relatively easy to implement client-side, where you can check this.auth.isAuthenticated. You can also set the user info from the client side as well.
However, if I want to do check their identity server-side, such as check that a user is authenticated when they call my custom api to post a comment - how can I get some sort of token (preferably a JWT token) that I can use to validate their identity server-side? Assuming we are using email/password authentication.
Also - using their send notification on a user's birthday example, how can I query the user data in ionic cloud's database to say find all users who have a birthday today. Can I export out the user data in any way if I want to migrate away in the future?
You should implement a JWT authentication service server side.
In other words when the user is authenticated, the app can send a JWT token to the server which should be evaluated to trust the remote user.
For more info reads: https://docs.ionic.io/services/auth/custom-auth.html
A php example here: https://github.com/driftyco/custom-auth-examples/tree/master/php
Regards from Italy
I am writing an Angular2 client web application client as a front end for a REST services providing access to some resources.
The REST service is protected with basic HTTP auth, and allows unauthenticated access for some of its endpoints (for instance GET /freeresource), while requires user/password authentication for other endpoints (say GET /protectedresource, or POST /freeresource, etc.).
For my Angular2 client, I would like to implement a loging page allowing access to the web application with the same ":" accepted by REST service. For this I'm following this tutorial : https://medium.com/#blacksonic86/angular-2-authentication-revisited-611bf7373bf9#.myifbz656
The problem is that the above tutorial assumes that the backend REST service has an explicit /login endpoint returning an authentication token to which you post your credentials, while my REST service does not have such an endpoint, but just returns an authorization error when passed missing or wrong credentials for endpoints that require them. I didn't find any alternative article or tutorial for a situation like this.
What is the correct way of proceeding in such a case? I could "simulate" the /login endpoint by accessing for instance a protected resource with username and password read from the app login page and trying to access a protected resource GET /protectedresource, considering as a failed login if this call returns an unauthorized error, but clearly this is not a satisfying solution (what today is a protected resource could become freely accessible tomorrow, for instance), so what is a "clean" way to implement the web app login in this case?
You don't need to simulate the /login endpoint. You just need to know on the client accessing which resource requires authentication. You can implement the same "CanActivate" method from the tutorial, and write your service call to pass credentials (or use the local storage if the user is authenticated already) when you make the REST call. If your REST endpoints require authentication every time, get them from the user at the login page, store them in the local storage, then pass them to the endpoints that need authentication.
What is REST when using in WEB ?
Too many documentations, but is it just a simple attitude using existing html protocol, that may replace web-services.
Is it as following?
Like PAYPAL ...
Just using method from a specific server using http protocol: https://?
and on the server side using the value by get/post methods.
Entities:
Clients - every client that has access to server A (for the specific service).
Server A - Server (for the client use) that has an access to server (with an access key, like PAYPAL supports).
Server B - Server that has the API with some methods that returns to client.
Steps:
1. User ask from server A (server A uses the API) for a token.
2. Server A open a session with server B and send request for token (with the access key provided) to server B
3. Server B may reject or accept the request and send back the token to server A.
4. Server A may keep the token in session variable and send the token to the client.
5. Client use the token
6. Client send requests to server A, that send requests to server B with the token, keeping the same session.
Is the above correct?
Is that the concept of REST?
If not - need some guidelines, please.
Thanks :)
I think the concept of tokens is beyond the REST concept.
Rest (Representational state transfer) has more to do with the way you use the http methods to represent your desired action, like going to /users with get should give you back an arrays of users, then post in /users/1234 should create a user with id 1234 for example, or delete in /users/1234 should delete the user with 1234 id, etc.
It is an architecture where the http methods have a meaning.
Anyway there are more details of it, I would continue to read more with below;
http://en.wikipedia.org/wiki/Representational_state_transfer