Re: [Apiman-user] Question about OAuth2 (apiman & keycloak)

This is using openid-connect, which is layered on top of OAuth2 and provides a bunch of useful standardised fields for authentication purposes (to verify that the caller is who they claim to be; as opposed to authorization, which is talking more about what you are allowed to do). There are a couple of good StackExchange threads which will be helpful: - http://security.stackexchange.com/a/44614 - http://security.stackexchange.com/a/47136 On 07/09/2015 17:18, Charles Moulliard wrote: > Hi, > > This blog post details how to use Oauth2 between APiman & Keycloak > ("http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html"). > > > I have some questions to ask you about where these requests are related > to OAuth2 spec/protocol > > When we issue the request to get an access token for the client_id = > apiman "curl -X POST > http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token > -H "Content-Type: application/x-www-form-urlencoded" -d > "username=rincewind" -d 'password=apiman' -d 'grant_type=password' -d > 'client_id=apiman'", does this request corresponds to Oauth 2 process > where the client requests an access token to the authorization server (= > keycloak) using as grant-type = password > (http://oauthlib.readthedocs.org/en/latest/oauth2/grants/password.html) ? > > Is this request also issued by the "Apiman OAuth2 Policy" when a HTTP > Client will call the gateway to access a HTTP endpoint secured by the > Api gateway ? > > Regards, > > Charles > _______________________________________________ > Apiman-user mailing list > Apiman-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user >