[keycloak-user] REST API security

Marek Posolda mposolda at redhat.com
Mon Apr 14 03:26:25 EDT 2014 

Hi,

I would suggest to look at this endpoint 
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/TokenService.java#L155 
. I wonder that this is something you are looking for as it allows to 
retrieve token for some user in exchange to application and user 
credentials. It's defacto something described in OAuth2 specs in 
Resource Owner flow http://tools.ietf.org/html/rfc6749#page-37 .

So what I've just tried is this curl request:
curl --request POST 
http://localhost:8081/auth/rest/realms/myRealm/tokens/grants/access 
--data 
"client_id=myApp&client_secret=c52dc243-8004-4843-b03b-bc139fd3a6fc&username=john&password=password" 
--header "Accept: application/json" --header "Content-type: 
application/x-www-form-urlencoded"

where client_id and client_secret are credentials of my application and 
username/password are credentials of user and "myRealm" is name of my 
realm where user "john" and application "myApp" are registered. Note 
that instead of client_id and client_secret you can also use 
Authorization header (see the code for more details)

Marek


On 13.4.2014 10:30, Nils Preusker wrote:
> To clarify, I've been looking at the various clients in the examples 
> and know that I can simply add an authorization header with a bearer 
> token to the REST requests. However, as far as I understand the 
> examples and the code, all the login flows are based on login forms 
> and redirects. While this is convenient for web applications, I'm 
> missing a simple way for a "headless" client to obtain a token in 
> return for application credentials or an API key. Are you planning to 
> support this kind of use case?
>
> Cheers,
> Nils
>
>
> On Sat, Apr 12, 2014 at 7:09 PM, Nils Preusker <n.preusker at gmail.com 
> <mailto:n.preusker at gmail.com>> wrote:
>
>     Hi all,
>
>     I'm trying to figure out how I could use keycloak to secure a REST
>     API that is used bu a pure backend REST client. Do you have any
>     recommendations for that (i.e. API keys)?
>
>     Cheers,
>     Nils
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140414/485cac53/attachment.html

More information about the keycloak-user mailing list