<div dir="ltr">From your message I don't see how you can use Keycloak adapters for a Java client application (no UI) to access an API secured with Keycloak. The API resource is secured with Keycloak and is using Keycloak adapter. The client app should invoke those two URLs (or just the second one for direct grants). I can see you only have a Javascript library (adapter) for this purpose. </div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div style="font-family:arial;font-size:small"><div dir="ltr"><font color="#888888">Regards,<br>Pavel Maslov, MS</font><br></div></div><div style="font-family:arial;font-size:small"><font color="#888888">oPAC fellow at Cosylab</font></div></div></div></div>
<br><div class="gmail_quote">On Mon, Nov 23, 2015 at 9:12 AM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Keycloak handles well this scenario.
Adapters are used on both REST resource side, but also on UI
application side (application which wants to redirect to Keycloak
login and exchange code for token).<br>
<br>
One of Keycloak points is, that you don't need to code anything in
order to handle OIDC / OAuth2 flow. The server part of
specification is implemented by Keycloak auth-server and the
client part of specification is implemented by our adapters. You
don't need to care about redirection to keycloak login screen or
to exchange code for token etc. Adapters is doing all of this for
you. You can also enable "consent" for your client in which case,
the user's consent screen will be displayed during authentication
by keycloak server. Again, no need to code anything custom.<br>
<br>
When you want to send request to REST resource, you need to add
accessToken to "Authorization: Bearer" header, which will
authenticate the request.<br>
<br>
Take a look at our demo examples (customer-portal, product-portal,
oauth-client) for more details.<span class="HOEnZb"><font color="#888888"><br>
<br>
Marek</font></span><div><div class="h5"><br>
<br>
On 20/11/15 13:58, Pavel Maslov wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">Hey Marek,
<div><br>
</div>
<div><br>
</div>
<div>As far as I understood, adapters are used on the Resourse
side (e.g. the API you would like to secure with Keycloak).</div>
<div>Here, I am calling the API (resource) from a 3rd party
application (client). First it needs a user's consent to use
the API on his behalf. Then it gets the auth_code, which is
then used to obtain the access token. Then the client is free
to utilize the API on behalf of the user.</div>
<div><br>
</div>
<div>Does the Keycloak auth workflow differ slightly from the
standard OAuth2.0 procedure? Or am I missing something?</div>
<div>Thanks.</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div>
<div dir="ltr">
<div style="font-family:arial;font-size:small">
<div dir="ltr"><font color="#888888">Regards,<br>
Pavel Maslov, MSc</font></div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Fri, Nov 20, 2015 at 1:41 PM,
Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span>
<div>On 20/11/15 12:18, Pavel Maslov wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi everyone,</div>
<div><br>
</div>
<div><br>
</div>
<div>>From the user documentation I could not
find the authorization grant url (a la github's
<span><a href="https://github.com/login/oauth/authorize" target="_blank">https://github.com/login/oauth/authorize</a></span>)
and Get token url (a la <span><a href="https://github.com/login/oauth/access_token" target="_blank"></a><a href="https://github.com/login/oauth/access_token" target="_blank">https://github.com/login/oauth/access_token</a></span>).</div>
<div><br>
</div>
<div>I presume it's <a href="http://%7Bkeycloak_base%7D/realms/%7Brealm-name%7D/protocol/openid-connect/auth?client_id=%7Bclient_name%7D&response_type=code" target="_blank">{keycloak_base}/realms/{realm-name}/protocol/openid-connect/auth?client_id={client_name}&response_type=code</a> and
<a href="http://%7Bkeycloak_base%7D/realms/%7Brealm-name%7D/protocol/openid-connect/token" target="_blank">{keycloak_base}/realms/{realm-name}/protocol/openid-connect/token</a> respectively,
but I am not sure.</div>
</div>
</blockquote>
</span> Yes, your URLs are correct. However if you want
to use the default Authorization Code Grant flow and
browser applications, you can just use our adapters. You
don't even need to know the authorization grant url and
token URL as adapters handle all the redirections and
exchanges for you.<br>
<br>
I suggest to take a look at our examples . <br>
<br>
And here is the docs for adapters: <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html" target="_blank"></a><a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html</a><br>
<br>
Marek
<blockquote type="cite"><span>
<div dir="ltr">
<div><br>
</div>
<div>I would like to follow the standard OAuth2.0
workflow:</div>
<div>
<ol>
<li>Get Auth grant (GET on <span><a href="https://github.com/login/oauth/authorize" target="_blank"></a><a href="https://github.com/login/oauth/authorize" target="_blank">https://github.com/login/oauth/authorize</a></span>)</li>
<li>Get access token in exchange for the auth
grant code (POST on <span><a href="https://github.com/login/oauth/access_token" target="_blank"></a><a href="https://github.com/login/oauth/access_token" target="_blank">https://github.com/login/oauth/access_token</a></span>)<br>
</li>
<li>Use the resource using the access token
gotten in step 2.</li>
</ol>
</div>
<div>Please, correct me if I am wrong.</div>
<div>Thanks.</div>
<br clear="all">
<div>
<div>
<div dir="ltr">
<div style="font-family:arial;font-size:small">
<div dir="ltr"><font color="#888888">Regards,<br>
Pavel Maslov, MSc</font></div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</span>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>