[keycloak-user] Native applications and federated login

[Tomas Groth Christensen]

Hi,

I have a question about how to use OpenId Connect and KeyCloak and hope that someone here will be able to help.
I'm part of a project where federated login will be used. We are planning to use Keycloak as Identity Broker and multiple Identity Providers will be set up, some Identity Providers will be Keycloak instances, others not. For now the assumption is that all the Identity Providers will support OpenId Connect.

One of the use cases we need to support is authentication of applications for communication to webservices (machine to machine communication), but it is causing us some trouble.
The webservices will be created as clients in the Keycloak Identity Broker. But how do we authenticate the applications?
The applications will not be browser based, so using the webinterface for authentication is not possible. There exists some guides (including this Keycloak blog post: http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html) that describes how this can be done when using Keycloak directly as Identity Provider, but I haven't been able to find any solutions to how to make it work when there is an Identity Broker involved.

Reading the Keycloak documentation I couldn't help notice the big fat warning in the chapter about Direct Access Grant (http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html) which discourages bypassing the webinterface. This leads me to think that this kind of federated authentication without a browser is not supported by OpenId Connect, or am I missing something?

I've had a look at offline tokens, but to generate them, manual browser based authentication is still needed, at least as far as I can see...

I hope someone on the list has an idea for a smart workaround :)

Best regards,
Tomas