<div dir="ltr">The answer depends on what your code is doing:<div><br></div><div>a) Is it a server not invoking services on behalf of users, but rather on behalf of itself? Then use service accounts and you can also use public/private key based auth here (client credential flow from oauth2).</div><div>b) Is it a user logging in through a non-browser based application? Then the ideal option if possible is to embed a web browser and use the authorization code flow. The alternative is to use direct grant (resource owner credential grant flow from oauth2).</div><div>c) Is it a background process invoking a service on behalf of users when the users are not online? Then use offline tokens.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 27 April 2016 at 17:17, Aikeaguinea <span dir="ltr"><<a href="mailto:aikeaguinea@xsmail.com" target="_blank">aikeaguinea@xsmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">As I understand it, using the authorization code flow rather than the<br>
implicit flow is recommended where possible.<br>
<br>
We have a server-side client application, but the user agents making<br>
requests are not browsers, but instead our own code.<br>
<br>
I'm not entirely sure how to make the authorization code flow work<br>
without a browser. For instance, if on the command line I request<br>
<br>
curl<br>
'http://host:port/auth/realms/foo/protocol/openid-connect/auth?response_type=code&client_id=test-client&state=state&redirect_uri=<a href="http://www.example.com/hello-world" rel="noreferrer" target="_blank">http://www.example.com/hello-world</a>'<br>
<br>
Then (assuming the parameters are correct) I get back an HTML login page<br>
with a form. In order to submit the credentials, I would need to dig the<br>
URL out of the action of the form and then submit a request like<br>
<br>
curl -X POST -d 'username=test-user' -d 'password=test1234'<br>
'http://host:port/auth/realms/foo/login-actions/authenticate?code=Ctr79aRsbwPPkC4nEeT2vR9-TuC31uuXngQXoHQH6FE.ef26cfcd-a35b-4d1e-a4f7-49790f6e2f00&execution=a86f56da-9900-4f1d-a461-f18617a2333b'<br>
<br>
Three questions:<br>
1. Is there some reason I shouldn't be trying to implement the<br>
authorization code flow like this?<br>
<br>
2. Is there a way to get the proper login action back without having to<br>
dig it out of an HTML form? I've tried adding --header "Accept:<br>
application/json" to the command but this has no effect.<br>
<br>
3. Is there a way of submitting credentials other than by using form<br>
parameters? I've tried HTTP basic auth but it doesn't work for me.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Aikeaguinea<br>
<a href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a><br>
<br>
--<br>
<a href="http://www.fastmail.com" rel="noreferrer" target="_blank">http://www.fastmail.com</a> - Same, same, but different...<br>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</font></span></blockquote></div><br></div>