Hi Lance,
if you specify the "grant_type=password" you are using Direct access
grants (it's called "Resource Owner Password credentials grant" in
OAuth2 specification) documented here [1]
if you specify the "grant_type=client_credentials" you are using Service
accounts and you are obtaining token on behalf of client (it's called
"Client Credentials grant" in OAuth2 specification) and it's documented
here [2]
[1]
http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-acce...
[2]
http://keycloak.github.io/docs/userguide/keycloak-server/html/service-acc...
Marek
On 16/05/16 23:19, Lance Ball wrote:
Hi All
I've been updating the keycloak-nodejs-auth-utils module to keep up
with recent changes in Keycloak, and one thing I've noticed seems to
contradict what's written in the documentation. Can anyone provide
clarity on this for me?
In the docs for Direct Access Grants[1] it says, "For confidential
client's, you must create a Basic Auth|Authorization|header that
contains the client_id and client secret. And pass in the form
parameters for username and for each user credential. For example:"
POST /auth/realms/demo/protocol/openid-connect/token
Authorization: Basic atasdf023l2312023
Content-Type: application/x-www-form-urlencoded
username=bburke&password=geheim&grant_type=password
(That's copied and pasted into GMail. I hope the formatting is OK).
But in the keycloak-nodejs-auth-utils module, I am able to obtain a
grant without including the username and password. Additionally, I
must specify 'client_credentials' as the grant_type [2].
Do I misunderstand what is going on here or is the documentation out
of date?
Thanks
Lance
[1]
http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-acce...
[2]
https://github.com/keycloak/keycloak-nodejs-auth-utils/blob/master/lib/gr...
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev