<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body><div>We have something of a special case. We have privileged devices for which we will use service accounts and certificates/JWT based authentication.<br></div>
<div> </div>
<div>Then we will have a user (employee of ours) perform a second log in to the application running on the device. The particulars don't allow us to use a browser in this instance. (For one thing, the user's credentials are not a username/password -- I've had to create a special authenticator for this purpose. But this isn't the only reason.) So, to Brian's question, we are not embedding these credentials in our code.<br></div>
<div> </div>
<div>Since the device is trusted, we could use the password credentials grant. However, since this is a fairly high-security situation we'd prefer not to be sending access tokens over the wire, particularly if we're only relying on TLS for encrypting the token.<br></div>
<div> </div>
<div>We could, on the other hand, use the authorization code flow--I'd just have to follow the redirects and dig the form action out of the form that's returned in the challenge page. I was just wondering if there was some way to access that URL other than by chomping on the HTML, e.g., by using a different "Accept:" header.<br></div>
<div> </div>
<div> </div>
<div>On Thu, Apr 28, 2016, at 12:58 AM, Stian Thorgersen wrote:<br></div>
<blockquote type="cite"><div dir="ltr"><div>The answer depends on what your code is doing:<br></div>
<div> </div>
<div>a) Is it a server not invoking services on behalf of users, but rather on behalf of itself? Then use service accounts and you can also use public/private key based auth here (client credential flow from oauth2).<br></div>
<div>b) Is it a user logging in through a non-browser based application? Then the ideal option if possible is to embed a web browser and use the authorization code flow. The alternative is to use direct grant (resource owner credential grant flow from oauth2).<br></div>
<div>c) Is it a background process invoking a service on behalf of users when the users are not online? Then use offline tokens.<br></div>
</div>
<div><div> </div>
<div defang_data-gmailquote="yes"><div>On 27 April 2016 at 17:17, Aikeaguinea <span dir="ltr"><<a href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a>></span> wrote:<br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204, 204, 204);border-left-style:solid;padding-left:1ex;" defang_data-gmailquote="yes"><div>As I understand it, using the authorization code flow rather than the<br></div>
<div> implicit flow is recommended where possible.<br></div>
<div> </div>
<div> We have a server-side client application, but the user agents making<br></div>
<div> requests are not browsers, but instead our own code.<br></div>
<div> </div>
<div> I'm not entirely sure how to make the authorization code flow work<br></div>
<div> without a browser. For instance, if on the command line I request<br></div>
<div> </div>
<div> curl<br></div>
<div> 'http://host:port/auth/realms/foo/protocol/openid-connect/auth?response_type=code&client_id=test-client&state=state&redirect_uri=<a href="http://www.example.com/hello-world">http://www.example.com/hello-world</a>'<br></div>
<div> </div>
<div> Then (assuming the parameters are correct) I get back an HTML login page<br></div>
<div> with a form. In order to submit the credentials, I would need to dig the<br></div>
<div> URL out of the action of the form and then submit a request like<br></div>
<div> </div>
<div> curl -X POST -d 'username=test-user' -d 'password=test1234'<br></div>
<div> 'http://host:port/auth/realms/foo/login-actions/authenticate?code=Ctr79aRsbwPPkC4nEeT2vR9-TuC31uuXngQXoHQH6FE.ef26cfcd-a35b-4d1e-a4f7-49790f6e2f00&execution=a86f56da-9900-4f1d-a461-f18617a2333b'<br></div>
<div> </div>
<div> Three questions:<br></div>
<div> 1. Is there some reason I shouldn't be trying to implement the<br></div>
<div> authorization code flow like this?<br></div>
<div> </div>
<div> 2. Is there a way to get the proper login action back without having to<br></div>
<div> dig it out of an HTML form? I've tried adding --header "Accept:<br></div>
<div> application/json" to the command but this has no effect.<br></div>
<div> </div>
<div> 3. Is there a way of submitting credentials other than by using form<br></div>
<div> parameters? I've tried HTTP basic auth but it doesn't work for me.<br></div>
<div> <span><span class="colour" style="color:rgb(136, 136, 136)"><br> --<br> Aikeaguinea<br> <a href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a><br> <br> --<br> <a href="http://www.fastmail.com">http://www.fastmail.com</a> - Same, same, but different...<br> <br> _______________________________________________<br> keycloak-user mailing list<br> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></span></span></div>
</blockquote></div>
</div>
</blockquote><div> </div>
<div id="sig3995191"><div class="signature">--<br></div>
<div class="signature"> Aikeaguinea<br></div>
<div class="signature"> aikeaguinea@xsmail.com<br></div>
<div class="signature"> </div>
</div>
<div> </div>
<pre>
--
http://www.fastmail.com - Same, same, but different...
</pre>
</body>
</html>