diff --git a/docbook/reference/en/en-US/master.xml b/docbook/reference/en/en-US/master.xml index eff56c2610..7b72d6ab24 100755 --- a/docbook/reference/en/en-US/master.xml +++ b/docbook/reference/en/en-US/master.xml @@ -18,6 +18,7 @@ + @@ -97,6 +98,7 @@ This one is short &InstalledApplications; &Logout; &MultiTenancy; + &JAAS; diff --git a/docbook/reference/en/en-US/modules/jaas.xml b/docbook/reference/en/en-US/modules/jaas.xml new file mode 100644 index 0000000000..802dfcb0ce --- /dev/null +++ b/docbook/reference/en/en-US/modules/jaas.xml @@ -0,0 +1,37 @@ +
+ JAAS plugin + + It's generally not needed to use JAAS for most of the applications, especially if they are HTTP based, but directly choose one of our adapters. + However some applications and systems may still rely on pure legacy JAAS solution. Keycloak provides couple of login modules + to help with such use cases. Some login modules provided by Keycloak are: + + + + + org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule + + + This login module allows to authenticate with username/password from Keycloak database. It's using + Direct Access Grants Keycloak endpoint to validate on Keycloak side if provided username/password is valid. + It's useful especially for non-web based systems, which need to rely on JAAS and want to use Keycloak credentials, but can't use classic browser based + authentication flow due to their non-web nature. Example of such application could be messaging application or SSH system. + + + + + org.keycloak.adapters.jaas.BearerTokenLoginModule + + + This login module allows to authenticate with Keycloak access token passed to it through CallbackHandler as password. + It may be useful for example in case, when you have Keycloak access token from classic web based authentication flow + and your web application then needs to talk to external non-web based system, which rely on JAAS. For example to JMS/messaging system. + + + + + + + Both login modules have single configuration property keycloak-config-file where you need to provide location of keycloak.json configuration file. + It could be either provided from filesystem or from classpath (in that case you may need value like classpath:/folder-on-classpath/keycloak.json ). + +
\ No newline at end of file diff --git a/integration/adapter-core/src/main/java/org/keycloak/adapters/jaas/BearerTokenLoginModule.java b/integration/adapter-core/src/main/java/org/keycloak/adapters/jaas/BearerTokenLoginModule.java index 09b4816cc9..10f8d7b318 100755 --- a/integration/adapter-core/src/main/java/org/keycloak/adapters/jaas/BearerTokenLoginModule.java +++ b/integration/adapter-core/src/main/java/org/keycloak/adapters/jaas/BearerTokenLoginModule.java @@ -6,7 +6,7 @@ import org.keycloak.VerificationException; /** * Login module, which allows to authenticate Keycloak access token in environments, which rely on JAAS *

- * It expects login based on username and password where username must be equal to "Bearer" and password is keycloak access token. + * It expects login based on username and password where username doesn't matter and password is keycloak access token. * * @author Marek Posolda */