[keycloak-dev] Direct Grant API for Confidential Clients

Marek Posolda mposolda at redhat.com
Tue May 17 04:36:20 EDT 2016 

Hi Lance,

if you specify the "grant_type=password" you are using Direct access 
grants (it's called "Resource Owner Password credentials grant" in 
OAuth2 specification) documented here [1]

if you specify the "grant_type=client_credentials" you are using Service 
accounts and you are obtaining token on behalf of client (it's called 
"Client Credentials grant" in OAuth2 specification) and it's documented 
here [2]

[1] 
http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html
[2] 
http://keycloak.github.io/docs/userguide/keycloak-server/html/service-accounts.html

Marek

On 16/05/16 23:19, Lance Ball wrote:
> Hi All
>
> I've been updating the keycloak-nodejs-auth-utils module to keep up 
> with recent changes in Keycloak, and one thing I've noticed seems to 
> contradict what's written in the documentation. Can anyone provide 
> clarity on this for me?
>
> In the docs for Direct Access Grants[1] it says, "For confidential 
> client's, you must create a Basic Auth|Authorization|header that 
> contains the client_id and client secret. And pass in the form 
> parameters for username and for each user credential. For example:"
>      POST /auth/realms/demo/protocol/openid-connect/token
>      Authorization: Basic atasdf023l2312023
>      Content-Type: application/x-www-form-urlencoded
>
>      username=bburke&password=geheim&grant_type=password
> (That's copied and pasted into GMail. I hope the formatting is OK).
>
> But in the keycloak-nodejs-auth-utils module, I am able to obtain a 
> grant without including the username and password. Additionally, I 
> must specify 'client_credentials' as the grant_type [2].
>
> Do I misunderstand what is going on here or is the documentation out 
> of date?
>
> Thanks
> Lance
>
> [1] 
> http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html
> [2] 
> https://github.com/keycloak/keycloak-nodejs-auth-utils/blob/master/lib/grant-manager.js#L71-L79
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160517/61a2f83e/attachment-0001.html

More information about the keycloak-dev mailing list