Thx for your help. To avoid that the enduser use getpostman, I have
created a bash script to query apiman to get & extract the access_token
ftom HTTP response and next to call my service. Here is the script
Part of it was that I want to show the steps that would be required
if/when people are writing their own programs - so, extracting the
token, adding it to the appropriate header, etc.
However, you do hit on an issue I felt, which is that the blog doesn't
explore enough of the more realistic setups where client secrets (and
auth codes, etc) are used instead of username and password.
Perhaps in a future blog I should explore it; however, I'm always wary
about using a tool that might exclude some of the audience (e.g. people
who use only Firefox; people who don't want to install an extension). If
I do it as separate post, rather than modifying the original, then I
think this could be acceptable.
Thanks for your thoughts, I'll try to integrate something into my next
postings.
On 01/09/2015 17:34, Rafael Soares wrote:
> Hi!
>
> One nice thing you could add to your post is the use of Postman REST
> Client App [1] (Chrome addon).
> Postman offers a way to get an oAuth2 access_token (JWT) and add it to
> your request. All visually without have to get the access_token using
> 'curl' or 'httpie' (CLI utilities).
>
> See Postman Helpers [2]. I used it for my demos when working with REST
> endpoints. I managed to get it working with the APIMan/Keycloak oauth2.
>
> [1]
https://www.getpostman.com/
> [2]
https://www.getpostman.com/docs/helpers
>
> ________________________
> Rafael Torres Coelho Soares
>
> On Tue, Sep 1, 2015 at 12:41 PM, Charles Moulliard <cmoullia(a)redhat.com
> <mailto:cmoullia@redhat.com>> wrote:
>
> Fixed after changing user parameter. I'm able to get an access token
>
> So i will be able to take some screenshots now & elaborate the
> instructions as addon of the excellent apiman & keycloak blog
> article ;-)
>
> Sent from my iPhone
>
> > On 1 sept. 2015, at 17:36, Charles Moulliard <cmoullia(a)redhat.com
> <mailto:cmoullia@redhat.com>> wrote:
> >
> > Works better now. I have also reseted the password to demo and I
> get an account temporarily disabled
> >
> > Sent from my iPhone
> >
> >> On 1 sept. 2015, at 17:22, Marc Savy <marc.savy(a)redhat.com
> <mailto:marc.savy@redhat.com>> wrote:
> >>
> >>
>
http://localhost:8080/auth/admin/master/console/#/realms/demo/login-settings
> -> 'Direct Grant API' -> ON
> >>
> >> Now, curl -X POST
>
http://127.0.0.1:8080/auth/realms/demo/protocol/openid-connect/token
> -H "Content-Type: application/x-www-form-urlencoded" -d
> "username=demo" -d 'password=demo' -d
'grant_type=password' -d
> 'client_id=demo'
> >>
> >> Works fine!
> >>
> >> As a side-note: I would also point your readers towards the
> Keycloak docs, as this may not be an optimal setup for their
> real-world requirements (e.g. they may want redirected
> login-screens, user registration, SAML, etc, etc).
> >>
> >>> On 01/09/2015 15:54, Charles Moulliard wrote:
> >>>
> >>> On 01/09/15 11:57, Marc Savy wrote:
> >>>> I would suggest you refer to the Keycloak documentation, as
> there are
> >>>> several ways to skin this particular cat. For instance, how
> you decide
> >>>> to set up your Keycloak configuration is highly dependent upon
> your
> >>>> specific requirements; whether you want token grants to be
> via the
> >>>> API-only, or an HTTP redirect based approach (see:
> >>>>
>
https://keycloak.github.io/docs/userguide/html/access-types.html); how
> >>>> you wish to divide up your application; the level of
> security you
> >>>> desire; any identity provision sources...
> >>>>
> >>>> At any rate, once you have Keycloak going, you would log in
> and click
> >>>> on 'create realm' (in my blog demo, that would be
> >>>>
>
http://localhost:8080/auth/admin/master/console/#/create/realm) -
> >>>> then, add your client, roles, users, etc.
> >>>>
> >>>>> I have created a very basic use case :
> >>> - realm = demo,
> >>> - a user = demo and
> >>> - a client = demo where Direct Grants Only = ON and Access Type
> = Public
> >>>
> >>> but when I issue a request to get the Access Token,
> >>>
> >>> curl -X POST
> >>>
>
http://127.0.0.1:8080/auth/realms/demo/protocol/openid-connect/token -H
> >>> "Content-Type: application/x-www-form-urlencoded" -d
> "username=demo" -d
> >>> 'password=demo' -d 'grant_type=password' -d
'client_id=demo'
> >>>
> >>> I get this error -->
> >>>
> >>> {"error_description":"Direct Grant REST API not
> >>> enabled","error":"not_enabled"}
> >>>
> >>> Here is the demo.json exported file =
> >>>
https://gist.github.com/cmoulliard/c25fef751886ace8c354
> >>>
> >>>
> >>>> To make your life simple for demo purposes, I suggest your
> clients be
> >>>> 'Direct Grants Only' and 'Public'.
> >>>>
> >>>> I'm not entirely clear from your email whether you want to
> script
> >>>> this, or provide walk-through steps, or provide a pre-baked
> config
> >>>> (like the blog).
> >>>>> I would like to include instructions (= step by step
> instructions) +
> >>> screenshots and also a file (= json exported config) for end
> users not
> >>> interested to setup Keycloak
> >>>>
> >>>> Do you need to use roles and authorization? Or just simple
> >>>> authentication?
> >>>>
> >>>> Regards,
> >>>> Marc
> >>>>
> >>>>
> >>>>> On 01/09/2015 06:20, Charles Moulliard wrote:
> >>>>> This blog refers to a link where we will import a
pre-defined
> config
> >>>>>
> >>>>> First, log into the Keycloak server. If you’re following
our
> >>>>> walkthrough, the log-in details are identical to those
> mentioned earlier
> >>>>> (admin, admin123!). You can see that there is already an
> apiman realm
> >>>>> defined, but we’re going to create a new one, so navigate
to
> Add Realm
> >>>>> (top right), and import and upload "this demonstration
realm
> definition
> >>>>> -
>
http://www.apiman.io/blog/resources/2015-06-04/stottie.json"; it
> >>>>> provides an extremely simple setup where we have:
> >>>>>
> >>>>> What I would like to explain how we can create this
"stottie"
> config in
> >>>>> Keycloak (step by step, screenshots)
> >>>>>
> >>>>>> On 01/09/15 02:19, Eric Wittmann wrote:
> >>>>>> +1
> >>>>>>
> >>>>>> Thanks for responding, Rafael. I had intended to link
this
> very same
> >>>>>> tutorial but then it slipped my mind. :)
> >>>>>>
> >>>>>>> On 8/31/2015 5:48 PM, Rafael Soares wrote:
> >>>>>>> Charles,
> >>>>>>>
> >>>>>>> Recently I followed the "/Keycloak and
dagger:
> Securing your
> >>>>> services
> >>>>>>> with OAuth2/" tutorial [1] and it worked fine!
This howto
> is great!
> >>>>>>>
> >>>>>>> You don't need to do anything on the Fuse/Camel
side. All
> setup is
> >>>>> done
> >>>>>>> in the ApiMan side. ApiMan comes with a KeyCloak
service
> embedded and
> >>>>>>> all you need to do is install the Apiman oauth2
keycloak
> plugin and
> >>>>>>> configure your service policy to use it. The
tutorial [1]
> >>>>> describes each
> >>>>>>> step in detail.
> >>>>>>>
> >>>>>>> [1]
> >>>>>
>
http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication...
> >>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> ________________________
> >>>>>>> Rafael Torres Coelho Soares
> >>>>>>>
> >>>>>>> On Mon, Aug 31, 2015 at 2:38 PM, Charles Moulliard
> >>>>>>> <cmoulliard(a)redhat.com
<mailto:cmoulliard@redhat.com>
> <mailto:cmoulliard@redhat.com <mailto:cmoulliard@redhat.com>>>
> wrote:
> >>>>>>>
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> I have already asked this question but I need
some
> help to
> >>>>> figure
> >>>>>>> out
> >>>>>>> what are the steps required to setup Oauth 2
with
> Keycloak as
> >>>>> I'm
> >>>>>>> preparing a demo
> >>>>>>>
(
https://github.com/FuseByExample/rest-dsl-in-action)
> >>>>>>> covering the point about how to secure &
govern Camel
> REST DSL
> >>>>>>> endpoints
> >>>>>>> on JBoss Fuse using Apiman & Keycloak ?
> >>>>>>>
> >>>>>>> I just need the list of the steps to perform
from the
> Web Site.
> >>>>>>> Base on
> >>>>>>> the input, I will take some screenshots and
include the
> >>>>> instructions
> >>>>>>> within the demo content. Such input could be
reused to
> write
> >>>>> a blog
> >>>>>>> article too ;-)
> >>>>>>>
> >>>>>>> Regards,
> >>>>>>>
> >>>>>>> Charles
> >>>>>>> _______________________________________________
> >>>>>>> Apiman-user mailing list
> >>>>>>> Apiman-user(a)lists.jboss.org
> <mailto:Apiman-user@lists.jboss.org>
> <mailto:Apiman-user@lists.jboss.org
> <mailto:Apiman-user@lists.jboss.org>>
> >>>>>>>
https://lists.jboss.org/mailman/listinfo/apiman-user
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> Apiman-user mailing list
> >>>>>>> Apiman-user(a)lists.jboss.org
> <mailto:Apiman-user@lists.jboss.org>
> >>>>>>>
https://lists.jboss.org/mailman/listinfo/apiman-user
> >>>>>
> >>>>> _______________________________________________
> >>>>> Apiman-user mailing list
> >>>>> Apiman-user(a)lists.jboss.org
> <mailto:Apiman-user@lists.jboss.org>
> >>>>>
https://lists.jboss.org/mailman/listinfo/apiman-user
> >>
>
>