[keycloak-user] Keycloak grant_type

Marek Posolda mposolda at redhat.com
Mon Apr 24 03:38:54 EDT 2017 

Hi,

Keycloak is using OpenID Connect / OAuth2 protocol. Once you 
authenticate in Keycloak, then Keycloak redirects to the application 
with the "code" and "state" parameter. Then your application is supposed 
to use this code in the code-to-token request (request needs to be sent 
to the endpoint you mentioned).

The important thing is, that if you use our built-in adapters, you don't 
need to care about any protocol details at all. Adapter will 
automatically send the request to the token endpoint and exchange the 
code for the token. Similarly it automatically handles token refreshing, 
logouts etc.

We have examples on how to use our adapters. You can take a look at 
them. You need to care about exchanging code manually etc just in case 
that you can't use our adapters for some reason. But using our adapters 
(or at least some other existing 3rd party OIDC/OAuth2 adapter) is 
preferred way over writing the whole OIDC/OAuth2 workflow by yourself as 
that's quite error prone.

Marek


On 22/04/17 19:51, Tech wrote:
> Hi,
>
> We are trying to setup a working login infrastructure as follows: an
> application which we are trying to login through Keycloak.
>
> The flow is as follows: we get to the application, which redirects us to
> Keycloak, which should log the user and give correct access rights. This
> works, Keycloak is putting the correct cookies (KEYCLOAK_IDENTITY,
> KEYCLOAK_SESSION) and that redirects us back to the application.
>
> The problem that we have is that we are not able to identify the user
> logged in to KeyCloak. This is doable by the access_token, if we would
> work with REST calls, but we only have the KEYCLOAK_IDENTITY cookie.
>
> We are trying to somehow get the openid token with this
> url /auth/realms/demo/protocol/openid-connect/token with the following
> URL Encoded params:
>
> - grant_type: authorization_code
> - client_id: *client-id*
> - client_secret: *secret*
> - code: ???what code should we provide here??? (we tried adding the code
> seen from browser requests but that throws invalid_code error)
>
> The actual problem is that there is no available example in the
> documentation (or at least we didn't find any) that shows how to setup a
> login flow without access_token request.
>
> Thanks,
>
> Alin
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list