[keycloak-user] Client options for authenticating against Keycloak-secured services

Good day, I'm hoping to summarize the methods for a client Java program to authenticate against a Keycloak-secured service endpoint. Please correct any misunderstandings I have in the summary below: 1. Client program can issue a KC REST API call to get a token and then use it as "Authorization" header of type "Bearer" as per example 2. Client program (such as Apache HttpClient lib) can use Basic Authorization if KC secured-deployment has been configured to allow. 3. Client program can negotiate a SAML v2.0 SP-initiated SSO session directly against KC if the service is so configured. 4. Client program can negotiate a OpenID Connect SSO session directly against KC if the service is so configured. I have working Java examples now for #1 and #2, but was wondering if there were any Java examples of #3 and #4. Is my understanding of the authentication options for clients correct? By the way, I am greatly impressed by the progress being made on the master branch around Kerberos/SPNEGO and Identity Brokering. Kudos to the team. Thanks in advance, Guy