[keycloak-user] REST API security

Nils Preusker n.preusker at gmail.com
Mon Apr 14 05:36:50 EDT 2014


Thanks Marek, I'll look into that!

Nils


On Mon, Apr 14, 2014 at 9:26 AM, Marek Posolda <mposolda at redhat.com> wrote:

>  Hi,
>
> I would suggest to look at this endpoint
> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/TokenService.java#L155. I wonder that this is something you are looking for as it allows to
> retrieve token for some user in exchange to application and user
> credentials. It's defacto something described in OAuth2 specs in Resource
> Owner flow http://tools.ietf.org/html/rfc6749#page-37 .
>
> So what I've just tried is this curl request:
> curl --request POST
> http://localhost:8081/auth/rest/realms/myRealm/tokens/grants/access--data
> "client_id=myApp&client_secret=c52dc243-8004-4843-b03b-bc139fd3a6fc&username=john&password=password"
> --header "Accept: application/json" --header "Content-type:
> application/x-www-form-urlencoded"
>
> where client_id and client_secret are credentials of my application and
> username/password are credentials of user and "myRealm" is name of my realm
> where user "john" and application "myApp" are registered. Note that instead
> of client_id and client_secret you can also use Authorization header (see
> the code for more details)
>
> Marek
>
>
>
> On 13.4.2014 10:30, Nils Preusker wrote:
>
> To clarify, I've been looking at the various clients in the examples and
> know that I can simply add an authorization header with a bearer token to
> the REST requests. However, as far as I understand the examples and the
> code, all the login flows are based on login forms and redirects. While
> this is convenient for web applications, I'm missing a simple way for a
> "headless" client to obtain a token in return for application credentials
> or an API key. Are you planning to support this kind of use case?
>
>  Cheers,
> Nils
>
>
> On Sat, Apr 12, 2014 at 7:09 PM, Nils Preusker <n.preusker at gmail.com>wrote:
>
>> Hi all,
>>
>>  I'm trying to figure out how I could use keycloak to secure a REST API
>> that is used bu a pure backend REST client. Do you have any recommendations
>> for that (i.e. API keys)?
>>
>>  Cheers,
>> Nils
>>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140414/2f160cb0/attachment.html 


More information about the keycloak-user mailing list