Part of it was that I want to show the steps that would be required
if/when people are writing their own programs - so, extracting the
token, adding it to the appropriate header, etc.
However, you do hit on an issue I felt, which is that the blog doesn't
explore enough of the more realistic setups where client secrets (and
auth codes, etc) are used instead of username and password.
Perhaps in a future blog I should explore it; however, I'm always wary
about using a tool that might exclude some of the audience (e.g. people
who use only Firefox; people who don't want to install an extension). If
I do it as separate post, rather than modifying the original, then I
think this could be acceptable.
Thanks for your thoughts, I'll try to integrate something into my next
postings.
On 01/09/2015 17:34, Rafael Soares wrote:
Hi!
One nice thing you could add to your post is the use of Postman REST
Client App [1] (Chrome addon).
Postman offers a way to get an oAuth2 access_token (JWT) and add it to
your request. All visually without have to get the access_token using
'curl' or 'httpie' (CLI utilities).
See Postman Helpers [2]. I used it for my demos when working with REST
endpoints. I managed to get it working with the APIMan/Keycloak oauth2.
[1]
https://www.getpostman.com/
[2]
https://www.getpostman.com/docs/helpers
________________________
Rafael Torres Coelho Soares
On Tue, Sep 1, 2015 at 12:41 PM, Charles Moulliard <cmoullia(a)redhat.com
<mailto:cmoullia@redhat.com>> wrote:
Fixed after changing user parameter. I'm able to get an access token
So i will be able to take some screenshots now & elaborate the
instructions as addon of the excellent apiman & keycloak blog
article ;-)
Sent from my iPhone
> On 1 sept. 2015, at 17:36, Charles Moulliard <cmoullia(a)redhat.com
<mailto:cmoullia@redhat.com>> wrote:
>
> Works better now. I have also reseted the password to demo and I
get an account temporarily disabled
>
> Sent from my iPhone
>
>> On 1 sept. 2015, at 17:22, Marc Savy <marc.savy(a)redhat.com
<mailto:marc.savy@redhat.com>> wrote:
>>
>>
http://localhost:8080/auth/admin/master/console/#/realms/demo/login-settings
-> 'Direct Grant API' -> ON
>>
>> Now, curl -X POST
http://127.0.0.1:8080/auth/realms/demo/protocol/openid-connect/token
-H "Content-Type: application/x-www-form-urlencoded" -d
"username=demo" -d 'password=demo' -d 'grant_type=password'
-d
'client_id=demo'
>>
>> Works fine!
>>
>> As a side-note: I would also point your readers towards the
Keycloak docs, as this may not be an optimal setup for their
real-world requirements (e.g. they may want redirected
login-screens, user registration, SAML, etc, etc).
>>
>>> On 01/09/2015 15:54, Charles Moulliard wrote:
>>>
>>> On 01/09/15 11:57, Marc Savy wrote:
>>>> I would suggest you refer to the Keycloak documentation, as
there are
>>>> several ways to skin this particular cat. For instance, how
you decide
>>>> to set up your Keycloak configuration is highly dependent upon
your
>>>> specific requirements; whether you want token grants to be via the
>>>> API-only, or an HTTP redirect based approach (see:
>>>>
https://keycloak.github.io/docs/userguide/html/access-types.html); how
>>>> you wish to divide up your application; the level of security you
>>>> desire; any identity provision sources...
>>>>
>>>> At any rate, once you have Keycloak going, you would log in
and click
>>>> on 'create realm' (in my blog demo, that would be
>>>>
http://localhost:8080/auth/admin/master/console/#/create/realm) -
>>>> then, add your client, roles, users, etc.
>>>>
>>>>> I have created a very basic use case :
>>> - realm = demo,
>>> - a user = demo and
>>> - a client = demo where Direct Grants Only = ON and Access Type
= Public
>>>
>>> but when I issue a request to get the Access Token,
>>>
>>> curl -X POST
>>>
http://127.0.0.1:8080/auth/realms/demo/protocol/openid-connect/token -H
>>> "Content-Type: application/x-www-form-urlencoded" -d
"username=demo" -d
>>> 'password=demo' -d 'grant_type=password' -d
'client_id=demo'
>>>
>>> I get this error -->
>>>
>>> {"error_description":"Direct Grant REST API not
>>> enabled","error":"not_enabled"}
>>>
>>> Here is the demo.json exported file =
>>>
https://gist.github.com/cmoulliard/c25fef751886ace8c354
>>>
>>>
>>>> To make your life simple for demo purposes, I suggest your
clients be
>>>> 'Direct Grants Only' and 'Public'.
>>>>
>>>> I'm not entirely clear from your email whether you want to
script
>>>> this, or provide walk-through steps, or provide a pre-baked config
>>>> (like the blog).
>>>>> I would like to include instructions (= step by step
instructions) +
>>> screenshots and also a file (= json exported config) for end
users not
>>> interested to setup Keycloak
>>>>
>>>> Do you need to use roles and authorization? Or just simple
>>>> authentication?
>>>>
>>>> Regards,
>>>> Marc
>>>>
>>>>
>>>>> On 01/09/2015 06:20, Charles Moulliard wrote:
>>>>> This blog refers to a link where we will import a pre-defined
config
>>>>>
>>>>> First, log into the Keycloak server. If you’re following our
>>>>> walkthrough, the log-in details are identical to those
mentioned earlier
>>>>> (admin, admin123!). You can see that there is already an
apiman realm
>>>>> defined, but we’re going to create a new one, so navigate to
Add Realm
>>>>> (top right), and import and upload "this demonstration
realm
definition
>>>>> -
http://www.apiman.io/blog/resources/2015-06-04/stottie.json"; it
>>>>> provides an extremely simple setup where we have:
>>>>>
>>>>> What I would like to explain how we can create this
"stottie"
config in
>>>>> Keycloak (step by step, screenshots)
>>>>>
>>>>>> On 01/09/15 02:19, Eric Wittmann wrote:
>>>>>> +1
>>>>>>
>>>>>> Thanks for responding, Rafael. I had intended to link this
very same
>>>>>> tutorial but then it slipped my mind. :)
>>>>>>
>>>>>>> On 8/31/2015 5:48 PM, Rafael Soares wrote:
>>>>>>> Charles,
>>>>>>>
>>>>>>> Recently I followed the "/Keycloak and dagger:
Securing your
>>>>> services
>>>>>>> with OAuth2/" tutorial [1] and it worked fine!
This howto
is great!
>>>>>>>
>>>>>>> You don't need to do anything on the Fuse/Camel
side. All
setup is
>>>>> done
>>>>>>> in the ApiMan side. ApiMan comes with a KeyCloak
service
embedded and
>>>>>>> all you need to do is install the Apiman oauth2
keycloak
plugin and
>>>>>>> configure your service policy to use it. The tutorial
[1]
>>>>> describes each
>>>>>>> step in detail.
>>>>>>>
>>>>>>> [1]
>>>>>
http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication...
>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ________________________
>>>>>>> Rafael Torres Coelho Soares
>>>>>>>
>>>>>>> On Mon, Aug 31, 2015 at 2:38 PM, Charles Moulliard
>>>>>>> <cmoulliard(a)redhat.com
<mailto:cmoulliard@redhat.com>
<mailto:cmoulliard@redhat.com <mailto:cmoulliard@redhat.com>>> wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have already asked this question but I need some
help to
>>>>> figure
>>>>>>> out
>>>>>>> what are the steps required to setup Oauth 2 with
Keycloak as
>>>>> I'm
>>>>>>> preparing a demo
>>>>>>> (
https://github.com/FuseByExample/rest-dsl-in-action)
>>>>>>> covering the point about how to secure & govern
Camel
REST DSL
>>>>>>> endpoints
>>>>>>> on JBoss Fuse using Apiman & Keycloak ?
>>>>>>>
>>>>>>> I just need the list of the steps to perform from
the
Web Site.
>>>>>>> Base on
>>>>>>> the input, I will take some screenshots and include
the
>>>>> instructions
>>>>>>> within the demo content. Such input could be reused
to
write
>>>>> a blog
>>>>>>> article too ;-)
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> Charles
>>>>>>> _______________________________________________
>>>>>>> Apiman-user mailing list
>>>>>>> Apiman-user(a)lists.jboss.org
<mailto:Apiman-user@lists.jboss.org>
<mailto:Apiman-user@lists.jboss.org
<mailto:Apiman-user@lists.jboss.org>>
>>>>>>>
https://lists.jboss.org/mailman/listinfo/apiman-user
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Apiman-user mailing list
>>>>>>> Apiman-user(a)lists.jboss.org
<mailto:Apiman-user@lists.jboss.org>
>>>>>>>
https://lists.jboss.org/mailman/listinfo/apiman-user
>>>>>
>>>>> _______________________________________________
>>>>> Apiman-user mailing list
>>>>> Apiman-user(a)lists.jboss.org
<mailto:Apiman-user@lists.jboss.org>
>>>>>
https://lists.jboss.org/mailman/listinfo/apiman-user
>>