Good day,

I'm hoping to summarize the methods for a client Java program to authenticate against a Keycloak-secured service endpoint.  Please correct any misunderstandings I have in the summary below:
  1. Client program can issue a KC REST API call to get a token and then use it as "Authorization" header of type "Bearer" as per example
  2. Client program (such as Apache HttpClient lib) can use Basic Authorization if KC secured-deployment has been configured to allow.
  3. Client program can negotiate a SAML v2.0 SP-initiated SSO session directly against KC if the service is so configured. 
  4. Client program can negotiate a OpenID Connect SSO session directly against KC if the service is so configured.  
I have working Java examples now for #1 and #2, but was wondering if there were any Java examples of #3 and #4.  Is my understanding of the authentication options for clients correct?

By the way, I am greatly impressed by the progress being made on the master branch around Kerberos/SPNEGO and Identity Brokering.  Kudos to the team.

Thanks in advance,
Guy