[Apiman-user] Question about OAuth2 (apiman & keycloak)
Marc Savy
marc.savy at redhat.com
Mon Sep 7 14:30:12 EDT 2015
This is using openid-connect, which is layered on top of OAuth2 and provides a bunch of useful standardised fields for authentication purposes (to verify that the caller is who they claim to be; as opposed to authorization, which is talking more about what you are allowed to do).
There are a couple of good StackExchange threads which will be helpful:
- http://security.stackexchange.com/a/44614
- http://security.stackexchange.com/a/47136
On 07/09/2015 17:18, Charles Moulliard wrote:
> Hi,
>
> This blog post details how to use Oauth2 between APiman & Keycloak
> ("http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html").
>
> I have some questions to ask you about where these requests are related
> to OAuth2 spec/protocol
>
> When we issue the request to get an access token for the client_id =
> apiman "curl -X POST
> http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token
> -H "Content-Type: application/x-www-form-urlencoded" -d
> "username=rincewind" -d 'password=apiman' -d 'grant_type=password' -d
> 'client_id=apiman'", does this request corresponds to Oauth 2 process
> where the client requests an access token to the authorization server (=
> keycloak) using as grant-type = password
> (http://oauthlib.readthedocs.org/en/latest/oauth2/grants/password.html) ?
>
> Is this request also issued by the "Apiman OAuth2 Policy" when a HTTP
> Client will call the gateway to access a HTTP endpoint secured by the
> Api gateway ?
>
> Regards,
>
> Charles
> _______________________________________________
> Apiman-user mailing list
> Apiman-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/apiman-user
>
More information about the Apiman-user
mailing list