[keycloak-user] Using Direct Grant Access in Android app

Thu Sep 28 09:03:24 EDT 2017

Hello everyone,

I am currently working on an Android project and I'm trying to use KeyCloak as an authentication module. 
[Disclaimer] I'm still a student so my questions might appear completely off-mark, i managed to get KeyCloak to work by testing every scrap of code i found about the subject on the internet so it might not be the right way to do things, still doing what I need though.

(mostly from this post : http://lists.jboss.org/pipermail/keycloak-user/2016-January/004445.html)

I previously managed to connect to keycloak by :
1 - using a webview
2 - loading the login page url
3 - get the user to provide login/pwd on the page
4 - get a code back with the previous url (protocol/openid-connect/auth?response_type=code&client_id=android_app&redirect_uri=android://app");
5 - send this code towards another url in a form :

RestTemplate template = new RestTemplate();
            template.getMessageConverters().add(new FormHttpMessageConverter());
            template.getMessageConverters().add(new MappingJackson2HttpMessageConverter());
            MultiValueMap<String, String> form = new LinkedMultiValueMap<>();
            form.add("grant_type", "authorization_code");
            form.add("client_id", "android_app");
            form.add("code", code);
            form.add("redirect_uri", "android://app");
            ResponseEntity<AccessTokenResponse> rssResponse = template.postForEntity(
                    "xxx/auth/realms/{realm}/protocol/openid-connect/token", form,
                    AccessTokenResponse.class);

6 - parse this JWT into what I need.

I found that you could use Direct Grant Access to avoid using the "keycloak login page" and I am wondering if I'm doing things right when I use it.
I'm actually trying to provide the login and password by an NFC TAG and it can't really work with the usual page.

What I'm doing now is :

1 - Create a form containing my password and login (as clear as water)
2 - send it to KeyCloak

RestTemplate template = new RestTemplate();
            template.getMessageConverters().add(new FormHttpMessageConverter());
            template.getMessageConverters().add(new MappingJackson2HttpMessageConverter());
            MultiValueMap<String, String> form = new LinkedMultiValueMap<>();
            form.add("grant_type", "password");
            form.add("client_id", "android_app");
            form.add("username", "test");
            form.add("password", "test");
            form.add("redirect_uri", "android://app");
            ResponseEntity<AccessTokenResponse> rssResponse = template.postForEntity(
                    "xxx/auth/realms/{realm}/protocol/openid-connect/token", form,
                    AccessTokenResponse.class);

But I'm worried about the login and password in this message. 
Isn't it vunerable as I'm using HTTP ? Or if I add HTTPS will it be secured enough ?
I'm really not familiar with this process so I'm open for any suggestion or explainations.

Thanks in advance for reading (sorry for my english if there are mistakes).
Best regards,
Maxime.