[keycloak-user] How to get access access token with SPNEGOAuthenticator?

ola rob robstyle1234 at gmail.com
Thu Dec 6 05:33:44 EST 2018 

Thanks Marek! Yes, we are using direct grant flow. Does this approach also
need browser redirection? If yes, then this may not help us as we are
looking for just an API to pass spnego token and get the user authenticated
resulting in a access/refresh token. The challenge negotiation with browser
is being handled internally by us.

Thanks!

On Wed, Dec 5, 2018 at 1:42 PM Marek Posolda <mposolda at redhat.com> wrote:

> On 25/11/2018 05:11, ola rob wrote:
> > Hi,
> >
> > For some legacy reasons, we are using keycloak API/services for
> > authentication but not redirecting our application to keycloak. We are
> able
> > to get access token and refresh token (AccessTokenResponse.class) when we
> > authenticate using login API by sending username and password. But we are
> > unable to get them when authenticating using spnego token.
> > The SPNEGOAuthenticator class doesn't return any access token after
> > successful authentication. We need these tokens to manage our application
> > session internally. So, how can we get access and refresh token or
> response
> > similar to username password authentication?
>
> Are you using OAuth2 Resource-Owner-Password-Credentials (Direct grant)
> flow? Can you send an example of HTTP request and response you're using
> just to confirm we're on same page?
>
> We don't have support for SPNEGO authentication in the
> Resource-Owner-Password-Credentials flow (assuming you're using that
> flow). There is opened JIRA for this. What you can possibly do, is to
> write your own authenticator implementation, which will handle SPNEGO,
> and then create authentication flow with your custom authenticator
> added. The authenticator can probably re-use lots of the code, which the
> SpnegoAuthenticator used for the "browser" flow is using. The flow will
> likely need to contain also other authenticators (EG. existing
> authenticators for username/password assuming that you want to support
> both username/password and SPNEGO). See Keycloak server development
> guide and our quickstarts for the authentication for more details.
>
> Marek
>
> >
> >   SPNEGOAuthenticator spnegoAuthenticator = new
> > SPNEGOAuthenticator(kerberosConfig, kerberosAuth, spnegoToken);
> > spnegoAuthenticator.authenticate();
> >   if (spnegoAuthenticator.isAuthenticated()) {
> > String username = spnegoAuthenticator.getAuthenticatedUsername(); //
> > returning the username correctly.
> > }
> >
> > Thanks in advance!
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

More information about the keycloak-user mailing list