[Apiman-user] Question about OAuth2 (apiman & keycloak)

Charles Moulliard cmoulliard at redhat.com
Wed Sep 9 05:40:36 EDT 2015 

Blog and/or documentation to help the end user to figure out the token 
used between the client and APiman & Keycloak.


On 09/09/15 11:35, Marc Savy wrote:
>> and to decode token based 64 to a more human readable
>>
>> http://jwt.io/
>
> Ah, that's very cool! Thanks for that, didn't know about it. Maybe I
> should integrate a reference to it in the blog.
>
> On 09/09/2015 08:39, Charles Moulliard wrote:
>> Thx for the info. To be complete, these links are also very valuable to
>> understand the JWT (Token issued by Keycloak)
>>
>> https://scotch.io/tutorials/the-anatomy-of-a-json-web-token
>> https://developer.atlassian.com/static/connect/docs/latest/concepts/understanding-jwt.html 
>>
>>
>>
>> and to decode token based 64 to a more human readable
>>
>> http://jwt.io/
>>
>>
>> On 07/09/15 20:30, Marc Savy wrote:
>>> This is using openid-connect, which is layered on top of OAuth2 and
>>> provides a bunch of useful standardised fields for authentication
>>> purposes (to verify that the caller is who they claim to be; as
>>> opposed to authorization, which is talking more about what you are
>>> allowed to do).
>>>
>>> There are a couple of good StackExchange threads which will be helpful:
>>>  - http://security.stackexchange.com/a/44614
>>>  - http://security.stackexchange.com/a/47136
>>>
>>> On 07/09/2015 17:18, Charles Moulliard wrote:
>>>> Hi,
>>>>
>>>> This blog post details how to use Oauth2 between APiman & Keycloak
>>>> ("http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html"). 
>>>>
>>>>
>>>>
>>>> I have some questions to ask you about where these requests are 
>>>> related
>>>> to OAuth2 spec/protocol
>>>>
>>>> When we issue the request to get an access token for the client_id =
>>>> apiman "curl -X POST
>>>> http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token 
>>>>
>>>> -H "Content-Type: application/x-www-form-urlencoded" -d
>>>> "username=rincewind" -d 'password=apiman' -d 'grant_type=password' -d
>>>> 'client_id=apiman'", does this request corresponds to Oauth 2 process
>>>> where the client requests an access token to the authorization 
>>>> server (=
>>>> keycloak) using as grant-type = password
>>>> (http://oauthlib.readthedocs.org/en/latest/oauth2/grants/password.html) 
>>>>
>>>> ?
>>>>
>>>> Is this request also issued by the "Apiman OAuth2 Policy" when a HTTP
>>>> Client will call the gateway to access a HTTP endpoint secured by the
>>>> Api gateway ?
>>>>
>>>> Regards,
>>>>
>>>> Charles
>>>> _______________________________________________
>>>> Apiman-user mailing list
>>>> Apiman-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>>>
>>>
>>
>

More information about the Apiman-user mailing list