Extension protected by authentication

mvk37 · January 12, 2023, 1:28am

I want to implement new Keycloak metric extension exposed as REST API. E.g. on endpoint https:///mymetrics. I know how to do this part.

But I have an additional requirement. This endpoint shouldn’t be public. It should be to protect by tokens authentication.

Can anybody suggest if it possible to create Keycloak extension with REST API which will be protected by authentication?

Thank you

xgp · January 12, 2023, 8:20am

Whether in or out of Keycloak, it’s possible to protect any REST API endpoint with Keycloak. The general steps are:

Make a “confidential” or “bearer only” client in Keycloak.
Depending on the backend technology you’re using, pick an OIDC library, and configure it with the values from your client.
When you get a request, look for the Authorization: Bearer {token} header, and validate the token (your library might do this for you).

If you are looking for a way to enforce that within a Keycloak REST extension, I have a base class you can look at as an example keycloak-orgs/AbstractAdminResource.java at main · p2-inc/keycloak-orgs · GitHub

Topic		Replies	Views
Securing custom rest endpoint Getting advice	1	491	July 6, 2020
How to make Keycloak accept POST requests to an authorization endpoint Extending the server	1	1073	April 5, 2021
Public API available? Getting advice	4	1188	October 16, 2019
Keycloak authorization of a public endpoint Configuring the server	1	377	August 23, 2022
What can be considered public API	0	337	February 25, 2020