12.3.8. Consuming remote services

最新推荐文章于 2024-09-19 21:52:00 发布

Bol5261

最新推荐文章于 2024-09-19 21:52:00 发布

阅读量195

点赞数

分类专栏： JBPM(Business Process Model) 文章标签： java

原文链接：https://docs.jboss.org/

版权

JBPM(Business Process Model) 专栏收录该内容

105 篇文章 0 订阅

订阅专栏

In order to use the different remote services provided by Business Central or by an Execution Server, your client must be authenticated on the KC server and have a valid token to perform the requests.

Remember that in order to use the remote services, the authenticated user must have assigned:

The role rest-all for using the Business Central remote services

The role kie-server for using the Execution Server remote services

Please ensure necessary roles are created and assigned to the users that will consume the remote services on the Keycloak admin console.

You have two options to consume the different remove service endpoints:

Using basic authentication, if the application’s client supports it

Using Bearer (token) based authentication

12.3.8.1. Using basic authentication

If the KC client adapter configuration has the Basic authentication enabled, as proposed in this guide for both Business Central (step 3.2) and Execution Server, you can avoid the token grant/refresh calls and just call the services as the following examples.

Example for a Business Central remote repositories endpoint:

curl http://admin:password@localhost:8080/business-central-x.y.z.Final/rest/repositories

Example to check the status for the Execution Server:

curl http://admin:password@localhost:8280/kie-server-x.y.z.Final/services/rest/server/

12.3.8.2. Using token based authentication

First step is to create a new client on Keycloak that allows the third party remote service clients to obtain a token. It can be done as:

Go to the KC admin console and create a new client using this configuration:

    Client id: kie-remote

    Client protocol: openid-connect

    Access type: public

    Valid redirect URIs: http://localhost/

As we are going to manually obtain a token and invoke the service let’s increase the lifespan of tokens slightly. In production access tokens should have a relatively low timeout, ideally less than 5 minutes:

    Go to the KC admin console

    Click on your Realm Settings

    Click on Tokens tab

    Change the value for Access Token Lifespan to 15 minutes. That should give us plenty of time to obtain a token and invoke the service before it expires.

Once a public client for our remote clients has been created, you can now obtain the token by performing an HTTP request to the KC server’s tokens endpoint. Here is an example for command line:

RESULT=curl --data "grant_type=password&client_id=kie-remote&username=admin&passwordpassword=<the_client_secret>" http://localhost:8180/auth/realms/demo/protocol/openid-connect/token

TOKEN=echo $RESULT | sed 's/.*access_token":"//g' | sed 's/".*//g'

At this point, if you echo the $TOKEN it will output the token string obtained from the KC server, that can be now used to authorize further calls to the remote endpoints. For exmple, if you want to check the internal jBPM repositories:

curl -H “Authorization: bearer $TOKEN” http://localhost:8080/business-central-x.y.z.Final/rest/repositories