[keycloak-user] Keycloak OAuth2 bearer token without using direct access grant

Ton Swieb ton at finalist.nl
Wed Dec 9 10:47:39 EST 2015 

Hi Marek,

I got it working using the JS-Console example which uses the javascript
adapter.
I extended the JS-Console example with a function that does something like:
        var client = new XMLHttpRequest();
        client.open("GET", url, false);
        client.setRequestHeader("Accept", "application/json");
        client.setRequestHeader("Authorization", "Bearer " +
keycloak.token);
        client.send();

The keycloak.token is available after a call to keycloak.login()

Thanks for pointing me in that direction.

Regards,

Ton

2015-12-08 17:55 GMT+01:00 Ton Swieb <ton at finalist.nl>:

> Hi Marek,
>
> Thank you for your answer. I understand that I should use an adapter, but
> it is unclear to me how that will work in my situation.
>
> I will try to clarify.
> I am using JBoss Apiman which uses JBoss Keycloak to manage its realm.
> Both JBoss Apiman and JBoss Keycloak run on the same Wildfly application
> server. Apiman runs on wildfly so my assumption is that an adapter is
> already used to secure the Apiman GUI and to do the back channelling.
>
> But next to the Apiman GUI there is a Apiman gateway which uses a Keycloak
> OAuth plugin to enforce a security policy on managed api calls. The gateway
> itself is not secured by OAuth and is not known as a client in a keycloak
> realm. But the Keycloak OAuth plugin does expect a bearer token.
>
> I am unsure where I could apply an adapter to acomplish this and which
> adapter it should be.
>
> My setup is similair to the one discussed here:
> http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html
> with the difference that I use a third party login. So I cannot use direct
> access grants.
>
> Regards,
>
> Ton
>
>
> 2015-12-08 17:15 GMT+01:00 Marek Posolda <mposolda at redhat.com>:
>
>> After finish of OIDC authentication, Keycloak will redirect to your
>> application with the "code" parameter. Keycloak will always do this, it
>> doesn't matter if you authenticated through SAML identity broker or
>> username/password form or any other method. Then you theoretically need to
>> exchange the code for access-token in backchannel request, however as long
>> as you use our adapters, you don't need to care about it as adapter will do
>> it for you.
>>
>> We have examples (using adapters) where you can also see how is bearer
>> access token retrieved and then used for additional REST calls to REST
>> endpoints secured by bearer token. See the demo example and the
>> "customer-portal" and "product-portal" applications.
>>
>> Marek
>>
>> On 08/12/15 16:48, Ton Swieb wrote:
>>
>> Hi,
>>
>> How can I obtain a bearer token from keycloak without using the direct
>> access grant (
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html
>> ).
>>
>> I have configured a SAML Identity Broker in Keycloak which handles the
>> login for my realm. As a result I do not have a username/password
>> combination to POST it to:
>>
>> /{keycloak-root}/realms/{realm-name}/protocol/openid-connect/token
>>
>> How would I obtain a bearer token in this situation?
>>
>> Kind regards,
>>
>> Ton
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151209/37c54417/attachment.html

More information about the keycloak-user mailing list