[keycloak-user] How to get access access token with SPNEGOAuthenticator?

Marek Posolda mposolda at redhat.com
Wed Dec 5 03:12:35 EST 2018 

On 25/11/2018 05:11, ola rob wrote:
> Hi,
>
> For some legacy reasons, we are using keycloak API/services for
> authentication but not redirecting our application to keycloak. We are able
> to get access token and refresh token (AccessTokenResponse.class) when we
> authenticate using login API by sending username and password. But we are
> unable to get them when authenticating using spnego token.
> The SPNEGOAuthenticator class doesn't return any access token after
> successful authentication. We need these tokens to manage our application
> session internally. So, how can we get access and refresh token or response
> similar to username password authentication?

Are you using OAuth2 Resource-Owner-Password-Credentials (Direct grant) 
flow? Can you send an example of HTTP request and response you're using 
just to confirm we're on same page?

We don't have support for SPNEGO authentication in the 
Resource-Owner-Password-Credentials flow (assuming you're using that 
flow). There is opened JIRA for this. What you can possibly do, is to 
write your own authenticator implementation, which will handle SPNEGO, 
and then create authentication flow with your custom authenticator 
added. The authenticator can probably re-use lots of the code, which the 
SpnegoAuthenticator used for the "browser" flow is using. The flow will 
likely need to contain also other authenticators (EG. existing 
authenticators for username/password assuming that you want to support 
both username/password and SPNEGO). See Keycloak server development 
guide and our quickstarts for the authentication for more details.

Marek

>
>   SPNEGOAuthenticator spnegoAuthenticator = new
> SPNEGOAuthenticator(kerberosConfig, kerberosAuth, spnegoToken);
> spnegoAuthenticator.authenticate();
>   if (spnegoAuthenticator.isAuthenticated()) {
> String username = spnegoAuthenticator.getAuthenticatedUsername(); //
> returning the username correctly.
> }
>
> Thanks in advance!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list