Re: [Aerogear-users] Keycloak - validate token on server

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Aerogear-users] Keycloak - validate token on server

Doug Drouillard
Summers - Yes, this is perfect

https://github.com/auth0/java-jwt#verify-a-token 

Thank you for your help! 

I was unsure if this was built into any of the Java/Keycloak adapters. This confirmation helps quite a bit. 

I have been running my modified version of aerogear for a couple weeks now and it works well. The ability to stay in the app using Safari View Controller + using kc_idp_hint is really nice and makes the native Facebook / Google iOS cocoapods seem unnecessary if you are just doing social sign-in which I believe is the point. 

On Mon, Jun 5, 2017 at 3:21 PM, <[hidden email]> wrote:
Send Aerogear-users mailing list submissions to
        [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.jboss.org/mailman/listinfo/aerogear-users
or, via email, send a message with subject or body 'help' to
        [hidden email]

You can reach the person managing the list at
        [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Aerogear-users digest..."


Today's Topics:

   1. Re: iOS Troubleshooting when server uses a self-signed
      certificate Swift 3 (Polina Koleva)
   2. Keycloak - validate token on server (Doug Drouillard)
   3. Re: Keycloak - validate token on server (Summers Pittman)
   4. Re: Keycloak - validate token on server (Doug Drouillard)
   5. Re: Keycloak - validate token on server (Summers Pittman)


----------------------------------------------------------------------

Message: 1
Date: Mon, 29 May 2017 09:27:59 -0700 (MST)
From: Polina Koleva <[hidden email]>
Subject: Re: [Aerogear-users] iOS Troubleshooting when server uses a
        self-signed certificate Swift 3
To: [hidden email]
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=UTF-8

Hey :)

Julio Cesar Sanchez Hernandez wrote
> Hi.
>
> There is something missing on the email you sent.
>
> You said
> I added in my DeviceRegistration.swift file the method:

I have added the code but it is not visible in the email. I place it here
again (hopefully this time it will work). So this is the implementation of
the method:

public func urlSession(_session: URLSession, task: URLSessionTask,
didReceive challenge: URLAuthenticationChallenge, completionHandler:
(URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
        if challenge.protectionSpace.authenticationMethod ==
NSURLAuthenticationMethodServerTrust && challenge.protectionSpace.host ==
serverURL.host! {
            let credentials = URLCredential(trust:
challenge.protectionSpace.serverTrust!)

completionHandler(Foundation.URLSession.AuthChallengeDisposition.useCredential,
credentials)
        } else {

completionHandler(Foundation.URLSession.AuthChallengeDisposition.cancelAuthenticationChallenge,
nil)
        }
    }



Julio Cesar Sanchez Hernandez wrote
> Do you see any error message on Xcode console? If yes, share them.

Yes, it is written that the server is not trusted because of the self-signed
certificate.
This is the error:

Error Registering with UPS: The certificate for this server is invalid. You
might be connecting to a server that is pretending to be ?x.x.x.x? which
could put your confidential information at risk.


Julio Cesar Sanchez Hernandez wrote
> Do you have a paid Apple developer account?

 Yes, I have a developer account.


Julio Cesar Sanchez Hernandez wrote
> Are you testing on a real device?

Yes, I am testing on a real device.


Julio Cesar Sanchez Hernandez wrote
> Is the device asking for the push permissions?

Yes, the app asks for permission to receive push notifications. But it
cannot connect to the server.


Julio Cesar Sanchez Hernandez wrote
> Is your server available online so I can take a look?

No, I am running the ups on my local machine.

Thanks.
On Mon, May 29, 2017 at 2:57 PM, Polina Koleva &lt;polina.n.koleva@&gt;
wrote:

> Hey,
> I am trying to run Swift 3 HelloWorld app ( HelloWorldSwift
> &lt;https://github.com/aerogear/aerogear-ios-cookbook/tree/
&gt; master/UnifiedPushHelloWorld>
> ) but I have a problem with the self-signed certificate.
> Looking at the documentation ( ios troubleshooting
> &lt;https://aerogear.org/docs/unifiedpush/aerogear-push-ios/
&gt; guides/#troubleshooting>
> ) and changing it a little bit for Swift 3 , I added in my
> DeviceRegistration.swift file the method:
>
>
>
> But it still doesn't work. The method is not invoked at all. Do I miss
> something?
>
> Any help will be appreciated.
>
> Polina
>
>
>
> --
> View this message in context: http://aerogear-users.1116366.
> n5.nabble.com/iOS-Troubleshooting-when-server-uses-a-self-signed-
> certificate-Swift-3-tp1115.html
> Sent from the aerogear-users mailing list archive at Nabble.com.
> _______________________________________________
> Aerogear-users mailing list
> Aerogear-users@.jboss
> https://lists.jboss.org/mailman/listinfo/aerogear-users
>

_______________________________________________
Aerogear-users mailing list
Aerogear-users@.jboss
https://lists.jboss.org/mailman/listinfo/aerogear-users




--
View this message in context: http://aerogear-users.1116366.n5.nabble.com/iOS-Troubleshooting-when-server-uses-a-self-signed-certificate-Swift-3-tp1115p1117.html
Sent from the aerogear-users mailing list archive at Nabble.com.



------------------------------

Message: 2
Date: Wed, 31 May 2017 14:36:45 -0400
From: Doug Drouillard <[hidden email]>
Subject: [Aerogear-users] Keycloak - validate token on server
To: [hidden email]
Message-ID:
        <[hidden email]>
Content-Type: text/plain; charset="utf-8"

Hello,

I am using Aerogear-iOS and I am able to successfully get a JWT from
keycloak.  Say I pass that JWT to a Java web service (that is not wildfly),
is there a way to easily verify the token? The keycloak adapters for
undertow and jetty seem beyond my reach. I am using Ninja Framework and the
undertow integration does not seem feasible in my time frame.
I was hoping to easily validate token on server, but I can't seem to have
come across anything. My concern is that I want to disable a user and
immediately have them disabled, not wait on expiration in token.

I have proposed this question on stack overflow and on the keycloak mailing
list with no answers so I was hoping to have some luck here.

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-users/attachments/20170531/c2f861b8/attachment-0001.html

------------------------------

Message: 3
Date: Thu, 1 Jun 2017 07:47:35 -0400
From: Summers Pittman <[hidden email]>
Subject: Re: [Aerogear-users] Keycloak - validate token on server
To: [hidden email]
Message-ID:
        <[hidden email]>
Content-Type: text/plain; charset="utf-8"

Are you thinking something like this :
https://github.com/auth0/java-jwt#verify-a-token ?

On Wed, May 31, 2017 at 2:36 PM, Doug Drouillard <
[hidden email]> wrote:

> Hello,
>
> I am using Aerogear-iOS and I am able to successfully get a JWT from
> keycloak.  Say I pass that JWT to a Java web service (that is not wildfly),
> is there a way to easily verify the token? The keycloak adapters for
> undertow and jetty seem beyond my reach. I am using Ninja Framework and the
> undertow integration does not seem feasible in my time frame.
> I was hoping to easily validate token on server, but I can't seem to have
> come across anything. My concern is that I want to disable a user and
> immediately have them disabled, not wait on expiration in token.
>
> I have proposed this question on stack overflow and on the keycloak
> mailing list with no answers so I was hoping to have some luck here.
>
> Thanks.
>
> _______________________________________________
> Aerogear-users mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/aerogear-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-users/attachments/20170601/34c360c8/attachment-0001.html

------------------------------

Message: 4
Date: Mon, 5 Jun 2017 09:11:43 -0400
From: Doug Drouillard <[hidden email]>
Subject: Re: [Aerogear-users] Keycloak - validate token on server
To: [hidden email]
Message-ID:
        <CAJSu2J7YAAh47A57GzLu3hqkYzpfuOLC=[hidden email]>
Content-Type: text/plain; charset="utf-8"

I ended up forking aerogear and merging in an unmerged PR that exposed
Safari View Controller (I am targeting iOS 9+) and then also modified to
allow for passing of kc_idp_hint.

https://github.com/drouillard/aerogear-ios-oauth2

It is nice and clean and avoids the user experience issues that motivated
my original question. E.g. embedded views dont work with Google sign-in and
the external safari makes user answer an additional prompt (Open in 'app
name') plus risks leaving them in no-persons land if they cancel.

For my active account question I likely can just use the Admin API can
check outright for if user is enabled.

Still researching best Java client to use in my case as it seems like i am
in a bearer-only situation. The aerogear code is easier to follow as there
is not intermixing of session/server logic like the servlet examples I have
seen.
Verifying the JWT on local server is easy and likely good enough but I
believe there should be a way to verify it with the keycloak server if
desired using certificates/possibly open-id end points. I am working in a
high fraud situation so need all options available.

Will update this thread as they appear in Google search results.

On Wed, May 31, 2017 at 2:36 PM, Doug Drouillard <
[hidden email]> wrote:

> Hello,
>
> I am using Aerogear-iOS and I am able to successfully get a JWT from
> keycloak.  Say I pass that JWT to a Java web service (that is not wildfly),
> is there a way to easily verify the token? The keycloak adapters for
> undertow and jetty seem beyond my reach. I am using Ninja Framework and the
> undertow integration does not seem feasible in my time frame.
> I was hoping to easily validate token on server, but I can't seem to have
> come across anything. My concern is that I want to disable a user and
> immediately have them disabled, not wait on expiration in token.
>
> I have proposed this question on stack overflow and on the keycloak
> mailing list with no answers so I was hoping to have some luck here.
>
> Thanks.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-users/attachments/20170605/42fca23f/attachment-0001.html

------------------------------

Message: 5
Date: Mon, 5 Jun 2017 14:42:36 -0400
From: Summers Pittman <[hidden email]>
Subject: Re: [Aerogear-users] Keycloak - validate token on server
To: [hidden email]
Message-ID:
        <CAEQz2Cs7_Nc9SYaPNmVhe3kRfx=[hidden email]>
Content-Type: text/plain; charset="utf-8"

On Mon, Jun 5, 2017 at 9:11 AM, Doug Drouillard <
[hidden email]> wrote:

> I ended up forking aerogear and merging in an unmerged PR that exposed
> Safari View Controller (I am targeting iOS 9+) and then also modified to
> allow for passing of kc_idp_hint.
>
> https://github.com/drouillard/aerogear-ios-oauth2
>
> It is nice and clean and avoids the user experience issues that motivated
> my original question. E.g. embedded views dont work with Google sign-in and
> the external safari makes user answer an additional prompt (Open in 'app
> name') plus risks leaving them in no-persons land if they cancel.
>
> For my active account question I likely can just use the Admin API can
> check outright for if user is enabled.
>
> Still researching best Java client to use in my case as it seems like i am
> in a bearer-only situation. The aerogear code is easier to follow as there
> is not intermixing of session/server logic like the servlet examples I have
> seen.
> Verifying the JWT on local server is easy and likely good enough but I
> believe there should be a way to verify it with the keycloak server if
> desired using certificates/possibly open-id end points. I am working in a
> high fraud situation so need all options available.
>
> Will update this thread as they appear in Google search results.
>

+1 Thanks for the feedback, and I will keep an eye out for your updates.


>
> On Wed, May 31, 2017 at 2:36 PM, Doug Drouillard <
> [hidden email]> wrote:
>
>> Hello,
>>
>> I am using Aerogear-iOS and I am able to successfully get a JWT from
>> keycloak.  Say I pass that JWT to a Java web service (that is not wildfly),
>> is there a way to easily verify the token? The keycloak adapters for
>> undertow and jetty seem beyond my reach. I am using Ninja Framework and the
>> undertow integration does not seem feasible in my time frame.
>> I was hoping to easily validate token on server, but I can't seem to have
>> come across anything. My concern is that I want to disable a user and
>> immediately have them disabled, not wait on expiration in token.
>>
>> I have proposed this question on stack overflow and on the keycloak
>> mailing list with no answers so I was hoping to have some luck here.
>>
>> Thanks.
>>
>
>
> _______________________________________________
> Aerogear-users mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/aerogear-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-users/attachments/20170605/882e972c/attachment.html

------------------------------

_______________________________________________
Aerogear-users mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-users


End of Aerogear-users Digest, Vol 33, Issue 1
*********************************************


_______________________________________________
Aerogear-users mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/aerogear-users
Loading...