[keycloak-dev] Direct Grant API for Confidential Clients
Marek Posolda
mposolda at redhat.com
Tue May 17 04:36:20 EDT 2016
Hi Lance,
if you specify the "grant_type=password" you are using Direct access
grants (it's called "Resource Owner Password credentials grant" in
OAuth2 specification) documented here [1]
if you specify the "grant_type=client_credentials" you are using Service
accounts and you are obtaining token on behalf of client (it's called
"Client Credentials grant" in OAuth2 specification) and it's documented
here [2]
[1]
http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html
[2]
http://keycloak.github.io/docs/userguide/keycloak-server/html/service-accounts.html
Marek
On 16/05/16 23:19, Lance Ball wrote:
> Hi All
>
> I've been updating the keycloak-nodejs-auth-utils module to keep up
> with recent changes in Keycloak, and one thing I've noticed seems to
> contradict what's written in the documentation. Can anyone provide
> clarity on this for me?
>
> In the docs for Direct Access Grants[1] it says, "For confidential
> client's, you must create a Basic Auth|Authorization|header that
> contains the client_id and client secret. And pass in the form
> parameters for username and for each user credential. For example:"
> POST /auth/realms/demo/protocol/openid-connect/token
> Authorization: Basic atasdf023l2312023
> Content-Type: application/x-www-form-urlencoded
>
> username=bburke&password=geheim&grant_type=password
> (That's copied and pasted into GMail. I hope the formatting is OK).
>
> But in the keycloak-nodejs-auth-utils module, I am able to obtain a
> grant without including the username and password. Additionally, I
> must specify 'client_credentials' as the grant_type [2].
>
> Do I misunderstand what is going on here or is the documentation out
> of date?
>
> Thanks
> Lance
>
> [1]
> http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html
> [2]
> https://github.com/keycloak/keycloak-nodejs-auth-utils/blob/master/lib/grant-manager.js#L71-L79
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160517/61a2f83e/attachment-0001.html
More information about the keycloak-dev
mailing list