This is example for Direct Grant API. It allows you to send POST request to Keycloak including username and password and Keycloak will directly returns you accessToken without even displaying Keycloak login screen. Direct Grant API has some limitations though (password must be known to your application, SSO won't work, User won't be able to login if he needs to do some required action (like change password) etc.). So it's usually better to use proper login flow instead of Direct Grant API. See here for more info https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java#L54 .Thanks Marek
I saw here app gains the accessToken, but did not see where this `/auth` api is implemented. I want to learn how to I do the same thing of exposing `/auth` api to generate tokens
I did not see anything in pom.xml either. seems like magic to me at the moment. Any guidance here?
Thanks
On Tue, Jul 29, 2014 at 12:25 AM, Marek Posolda <mposolda@redhat.com> wrote:
Hi,
the best is to start with documentation http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/index.html and also look at existing examples https://github.com/keycloak/keycloak/tree/master/examples . Probably most useful for you might be https://github.com/keycloak/keycloak/tree/master/examples/demo-template . It has restful application "database-service", where you can send secured REST requests with the bearer token attached to them. Other applications in the directory are web applications, which obtain bearer token from the Keycloak login . Product-portal and customer-portal are JEE applications secured by Keycloak itself, third-party and third-party-cdi is more traditional OAuth where token is used just to retrieve the secured data from "database-service" . See the README for more info.
Example for CORS support is here: https://github.com/keycloak/keycloak/tree/master/examples/cors
Marek
On 25.7.2014 23:04, Harit Himanshu wrote:
Hey Team,
I am been looking for answer to http://stackoverflow.com/questions/24769691/what-are-some-ways-to-secure-rest-apis and found that keycloak is suitable for securing REST APIs using OAuth 2.0.
I am looking for example where the following is demonstrateda.) Third-party app registers and gets Access Tokenb.) Third-Party app accesses Resource Server to access protected resource by sending Access Token to REST APIc.) and How Token is validated.
It is mentioned in features of keycloak as
- OAuth Bearer token auth for REST Services
- OAuth 2.0 Grant requests
- CORS Support
Can you please guide me through examples?
Thank you
On Fri, Jul 25, 2014 at 2:00 PM, Harit Himanshu <harit.subscriptions@gmail.com> wrote:
Hey Team,
I am been looking for answer to http://stackoverflow.com/questions/24769691/what-are-some-ways-to-secure-rest-apis and found that keycloak is suitable for securing REST APIs using OAuth 2.0.
I am looking for example where the following is demonstrateda.) Third-party app registers and gets Access Tokenb.) Third-Party app accesses Resource Server to access protected resource by sending Access Token to REST APIc.) and How Token is validated.
It is mentioned in features of keycloak as
- OAuth Bearer token auth for REST Services
- OAuth 2.0 Grant requests
- CORS Support
Can you please guide me through examples?
Thank you+ Harit Himanshu
_______________________________________________ keycloak-dev mailing list keycloak-dev@lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev