Standardize the examples #980
Conversation
|
@sberyozkin here the new PR for the development branch. CC @gsmet |
...ization-quickstart/src/main/java/org/acme/security/keycloak/authorization/AdminResource.java
Outdated
Show resolved
Hide resolved
| @@ -32,6 +32,10 @@ | |||
| </dependencyManagement> | |||
|
|
|||
| <dependencies> | |||
| <dependency> | |||
There was a problem hiding this comment.
@survivant Why is this module added here ? There is a dedicated keycloak-authorization-quickstart
There was a problem hiding this comment.
@sberyozkin maybe it's not necessary. I though it was used by KeycloakTestClient. So the sample : security-keycloak-authorization-quickstart need that module to check in Keycloak if a URL is authorized for the user logged.
and the sample : security-openid-connect-quickstart will received a token with the roles in it and use that to validate if the user is authorized with the annotation @RolesAllowed so the dependency to keycloak autorisation is not needed ?
did I understand correctly the difference between the two samples ?
| RestAssured.given().auth().oauth2(getAccessToken("admin")) | ||
| .when().get("/api/admin") | ||
| .when().get("/api/users/me") |
There was a problem hiding this comment.
@survivant Hmm but this drops a check that alice (who only has a user role) can not access admin-level resources
| RestAssured.given().auth().oauth2(getAccessToken("alice")) | ||
| .when().get("/api/users/me") | ||
| .when().get("/api/admin") |
...ization-quickstart/src/main/java/org/acme/security/keycloak/authorization/AdminResource.java
Outdated
Show resolved
Hide resolved
|
@sberyozkin the goal was to get the samples : security-openid-connect-quickstart and security-keycloak-authorization-quickstart almost similar except one use the token and the other roles. |
I updated the sample to have the same structure. It's easier to compare between them.