[Apiman-user] Question about OAuth2 (apiman & keycloak)
Marc Savy
marc.savy at redhat.com
Mon Sep 7 14:34:16 EDT 2015
A point that really bears reinforcing is that openid-connect provides a standardised mechanism for authentication which is completely decentralised (i.e. no need for the server to speak to the token issuer every time it wants to verify a token) - all of the information required is encoded within the token (plus trusted key data stored on the gateway).
On 07/09/2015 19:30, Marc Savy wrote:
> This is using openid-connect, which is layered on top of OAuth2 and
> provides a bunch of useful standardised fields for authentication
> purposes (to verify that the caller is who they claim to be; as opposed
> to authorization, which is talking more about what you are allowed to do).
>
> There are a couple of good StackExchange threads which will be helpful:
> - http://security.stackexchange.com/a/44614
> - http://security.stackexchange.com/a/47136
>
> On 07/09/2015 17:18, Charles Moulliard wrote:
> > Hi,
> >
> > This blog post details how to use Oauth2 between APiman & Keycloak
> > ("http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html").
> >
> >
> > I have some questions to ask you about where these requests are related
> > to OAuth2 spec/protocol
> >
> > When we issue the request to get an access token for the client_id =
> > apiman "curl -X POST
> > http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token
> > -H "Content-Type: application/x-www-form-urlencoded" -d
> > "username=rincewind" -d 'password=apiman' -d 'grant_type=password' -d
> > 'client_id=apiman'", does this request corresponds to Oauth 2 process
> > where the client requests an access token to the authorization server (=
> > keycloak) using as grant-type = password
> > (http://oauthlib.readthedocs.org/en/latest/oauth2/grants/password.html) ?
> >
> > Is this request also issued by the "Apiman OAuth2 Policy" when a HTTP
> > Client will call the gateway to access a HTTP endpoint secured by the
> > Api gateway ?
> >
> > Regards,
> >
> > Charles
> > _______________________________________________
> > Apiman-user mailing list
> > Apiman-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/apiman-user
> >
>
More information about the Apiman-user
mailing list