<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body><div>I ran into this issue when wanting to use the auth code flow without a browser; currently out of the box you can't pass an Accept header to Keycloak and get a challenge response in JSON rather than HTML.<br></div>
<div><br></div>
<div>We're passing requests through an API gateway, so I was able to do some funny business to get it to work. Basically the steps are:<br></div>
<div><br></div>
<div>1. The user agent submits a POST request to /realms/{realm}/login-actions/authenticate to the gateway with a username and password parameter.<br></div>
<div>2. The API gateway intercepts the request and first makes a GET request to /realms/{realm}/protocol/openid-connect/auth to grab the authentication form HTML<br></div>
<div>3. The API gateway digs out the "code" and "execution" query string parameters in the form action<br></div>
<div>4. The API gateway adds those parameters to the form parameters in the POST request before passing it through to Keycloak.<br></div>
<div><br></div>
<div>This results in a redirect response with an auth code for the user agent to follow.<br></div>
<div><br></div>
<div>Another approach would be to write an authenticator to supply the challenge response in JSON, which we may ultimately do. <br></div>
<div><br></div>
<div><br></div>
<div>On Tue, Aug 9, 2016, at 04:25 PM, Abelardo Vacca wrote:<br></div>
<blockquote type="cite"><div style="color:rgb(0, 0, 0);background-color:rgb(255, 255, 255);font-family:'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;font-size:16px;"><div><br></div>
<div dir="ltr">I
am wondering if it is possible to delegate to authentication to an
identity provider, as you would on the Login Page, but using the REST
API.<br></div>
<div dir="ltr">I've posted to stackoverflow a few minutes ago with details and diagrams to try to explain the best I could: <a href="http://stackoverflow.com/questions/38859379/is-it-possible-to-authenticate-against-a-keycloaks-identity-provider-openam-w">http://stackoverflow.com/questions/38859379/is-it-possible-to-authenticate-against-a-keycloaks-identity-provider-openam-w</a> <br></div>
<div dir="ltr"><br></div>
<div dir="ltr">Please feel free to correct any misconceptions I might have, I am new to all these tools I am posting about (APIMAN, Keycloak and OpenAM)<br></div>
<div><br></div>
<div>Thanks,<br></div>
<div>Abelardo<br></div>
</div>
<div><u>_______________________________________________</u><br></div>
<div>keycloak-user mailing list<br></div>
<div><a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br></div>
<div><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></div>
</blockquote><div><br></div>
<div id="sig3995191"><div class="signature">--<br></div>
<div class="signature"> Aikeaguinea<br></div>
<div class="signature"> aikeaguinea@xsmail.com<br></div>
<div class="signature"><br></div>
</div>
<div><br></div>
<pre>
--
http://www.fastmail.com - Same, same, but different...
</pre>
</body>
</html>