Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to use (support request) #11

Closed
nickrobillard opened this issue Dec 4, 2017 · 3 comments
Closed

How to use (support request) #11

nickrobillard opened this issue Dec 4, 2017 · 3 comments
Assignees
@felixheck
Labels
help wanted

Comments

@nickrobillard
Copy link

Hi @felixheck - I have borrowed your example code in the readme (https://github.com/felixheck/hapi-auth-keycloak#example) but I am a little unsure where to go from there.

I attempted to use client/secret method by adding my Keycloak client's clientId and secret to my options object, but I still see:

{
  "statusCode": 401,
  "error": "Unauthorized",
  "message": "Missing or invalid authorization header",
  "attributes": {
    "strategy": "keycloak-jwt",
    "error": "Missing or invalid authorization header"
  }
}

I dug in a little bit and I can see that an Authorization header with bearer token is expected. So is every request to my Hapi endpoint expected to have this header set? That would make sense since the bearer token is user specific and needed in order to correctly authorize the user. After reading your reply in #8, it sounds like the job of getting the bearer token falls outside the responsibility of hapi-auth-keycloak. Is this correct?
@felixheck
Copy link
Owner

felixheck commented Dec 4, 2017
edited

Thanks for your request. Seems that I have to add a few point to the README :)

  1. Send access_token as authorization: bearer <access_token>
  2. this plugin is just for validation/authorization of keycloak-based bearers currently
  3. the plugin uses access_tokens as user specific tokens. BUT there are some keycloak api key service which introduces api keys to keycloak by requesting access tokens again & again. There'll be a minor release which allows to use such api keys services as interceptor for authorization: Api-Key <key> requests; the api key service itself is not part of the minor release :)

If there's need for requesting tokens via this plugins, redirect to the UI like in #8 etc I'd be really hapi if you contribute :)

P.S. because all the other hapi-auth-* plugins just handles the credential validation + authorization as well, I'd like to reduce the features to the minimum. I use https://github.com/keycloak/keycloak-nodejs-auth-utils for lots of stuff. The grant manager enables to request tokens in various manners..perhaps this is the more elegant way. Nevertheless redirect is a possible feature.

@felixheck felixheck self-assigned this Dec 4, 2017
@nickrobillard
Copy link
Author

I appreciate your quick response. That all makes sense. In general, I'm all for separation of concerns and keeping things lean. I did notice keycloak-nodejs-auth-utils while digging into the Express middleware and I will definitely leverage it here. Thanks!

PS: Are you concerned that https://github.com/keycloak/keycloak-nodejs-auth-utils has been merged into https://github.com/keycloak/keycloak-nodejs-connect and won't be maintained on its own?

@felixheck
Copy link
Owner

Thanks for the hint! Gonna switch to nodejs-connect with the next minor :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@felixheck felixheck

Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nickrobillard @felixheck