Hi, This blog post details how to use Oauth2 between APiman & Keycloak ("http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html"). I have some questions to ask you about where these requests are related to OAuth2 spec/protocol When we issue the request to get an access token for the client_id = apiman "curl -X POST http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token -H "Content-Type: application/x-www-form-urlencoded" -d "username=rincewind" -d 'password=apiman' -d 'grant_type=password' -d 'client_id=apiman'", does this request corresponds to Oauth 2 process where the client requests an access token to the authorization server (= keycloak) using as grant-type = password (http://oauthlib.readthedocs.org/en/latest/oauth2/grants/password.html) ? Is this request also issued by the "Apiman OAuth2 Policy" when a HTTP Client will call the gateway to access a HTTP endpoint secured by the Api gateway ? Regards, Charles _______________________________________________ Apiman-user mailing list Apiman-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/apiman-user

This is using openid-connect, which is layered on top of OAuth2 and provides a bunch of useful standardised fields for authentication purposes (to verify that the caller is who they claim to be; as opposed to authorization, which is talking more about what you are allowed to do). There are a couple of good StackExchange threads which will be helpful: - http://security.stackexchange.com/a/44614 - http://security.stackexchange.com/a/47136 On 07/09/2015 17:18, Charles Moulliard wrote: > Hi, > > This blog post details how to use Oauth2 between APiman & Keycloak > ("http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html"). > > > I have some questions to ask you about where these requests are related > to OAuth2 spec/protocol > > When we issue the request to get an access token for the client_id = > apiman "curl -X POST > http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token > -H "Content-Type: application/x-www-form-urlencoded" -d > "username=rincewind" -d 'password=apiman' -d 'grant_type=password' -d > 'client_id=apiman'", does this request corresponds to Oauth 2 process > where the client requests an access token to the authorization server (= > keycloak) using as grant-type = password > (http://oauthlib.readthedocs.org/en/latest/oauth2/grants/password.html) > ? > > Is this request also issued by the "Apiman OAuth2 Policy" when a HTTP > Client will call the gateway to access a HTTP endpoint secured by the > Api gateway ? > > Regards, > > Charles > _______________________________________________ > Apiman-user mailing list > Apiman-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user >

> and to decode token based 64 to a more human readable > > http://jwt.io/ Ah, that's very cool! Thanks for that, didn't know about it. Maybe I should integrate a reference to it in the blog. On 09/09/2015 08:39, Charles Moulliard wrote: > Thx for the info. To be complete, these links are also very valuable to > understand the JWT (Token issued by Keycloak) > > https://scotch.io/tutorials/the-anatomy-of-a-json-web-token > https://developer.atlassian.com/static/connect/docs/latest/concepts/under... > > > > and to decode token based 64 to a more human readable > > http://jwt.io/ > > > On 07/09/15 20:30, Marc Savy wrote: >> This is using openid-connect, which is layered on top of OAuth2 and >> provides a bunch of useful standardised fields for authentication >> purposes (to verify that the caller is who they claim to be; as >> opposed to authorization, which is talking more about what you are >> allowed to do). >> >> There are a couple of good StackExchange threads which will be helpful: >> - http://security.stackexchange.com/a/44614 >> - http://security.stackexchange.com/a/47136 >> >> On 07/09/2015 17:18, Charles Moulliard wrote: >>> Hi, >>> >>> This blog post details how to use Oauth2 between APiman & Keycloak >>> ("http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html"). >>> >>> >>> >>> I have some questions to ask you about where these requests are >>> related >>> to OAuth2 spec/protocol >>> >>> When we issue the request to get an access token for the client_id = >>> apiman "curl -X POST >>> http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token >>> >>> -H "Content-Type: application/x-www-form-urlencoded" -d >>> "username=rincewind" -d 'password=apiman' -d 'grant_type=password' -d >>> 'client_id=apiman'", does this request corresponds to Oauth 2 process >>> where the client requests an access token to the authorization >>> server (= >>> keycloak) using as grant-type = password >>> (http://oauthlib.readthedocs.org/en/latest/oauth2/grants/password.html) >>> >>> ? >>> >>> Is this request also issued by the "Apiman OAuth2 Policy" when a HTTP >>> Client will call the gateway to access a HTTP endpoint secured by the >>> Api gateway ? >>> >>> Regards, >>> >>> Charles >>> _______________________________________________ >>> Apiman-user mailing list >>> Apiman-user(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/apiman-user >>> >> >