[keycloak-user] Mobile app authentication flow

Dmitry Telegin dt at acutus.pro
Mon Nov 12 01:36:21 EST 2018 

Hello Joe, answers inline,

On Thu, 2018-11-08 at 07:25 +1100, Joe Livu wrote:
> Hi,
> 
> I came across KeyCloak while searching for a security provider and was
> immediately impressed.
> 
> > I am planning on building a REST API using ASP.NET <http://asp.net/> Core
> Web API to be consumed by a mobile application to be built using Google's
> Flutter framework. I have a few questions.
> 
> 1. Would KeyCloak be suitable for securing my REST API Whig is built using
> > C# (ASP.NET <http://asp.net/> Core Web API)? If so, can I get a brief
> explanation and steps that need to be taken to achieve this?

Please take a look at this:
https://andrewlock.net/an-introduction-to-openid-connect-in-asp-net-core/

> 2. Now I need my mobile app to consume the REST API secured by KeyCloak.
> For authenticating users (e.g., via login screen using username/password
> credentials), how would this be done? Which grant type and flow will be
> suitable? The Web application demos shows a redirect to the KeyCloak server
> for authentication and then back to the app. It seems this cannot be
> applied for mobile apps (correct me if am wrong), so what would be the best
> approach for a mobile application? I would think KeyCloak would provide a
> REST API for such cases but I can only find an Admin REST API for admin
> purposes only Any help regarding this would very much appreciated.

For mobile apps, there are basically two options.

That "REST API for authentication" you're talking about is called "direct grant" in Keycloak's terms:
https://www.keycloak.org/docs/latest/securing_apps/index.html#_resource_owner_password_credentials_flow

You can create your own GUI form to ask a user for credentials and then use direct grant to obtain a token. In this case, you will be generally limited to simple login/password authentication (no OTP, brokering etc.)

Or you can embed a web view, use Keycloak JavaScript adapter (link below) to handle interaction with Keycloak, and then retrieve tokens from it.
https://www.keycloak.org/docs/latest/securing_apps/index.html#_javascript_adapter

As always, both methods have their benefits and drawbacks.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

> 
> Kind regards,
> 
> Joe Livu
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list