Thanks Marek, I'll look into that!


On Mon, Apr 14, 2014 at 9:26 AM, Marek Posolda <> wrote:

I would suggest to look at this endpoint . I wonder that this is something you are looking for as it allows to retrieve token for some user in exchange to application and user credentials. It's defacto something described in OAuth2 specs in Resource Owner flow .

So what I've just tried is this curl request:
curl --request POST http://localhost:8081/auth/rest/realms/myRealm/tokens/grants/access --data "client_id=myApp&client_secret=c52dc243-8004-4843-b03b-bc139fd3a6fc&username=john&password=password" --header "Accept: application/json" --header "Content-type: application/x-www-form-urlencoded"

where client_id and client_secret are credentials of my application and username/password are credentials of user and "myRealm" is name of my realm where user "john" and application "myApp" are registered. Note that instead of client_id and client_secret you can also use Authorization header (see the code for more details)


On 13.4.2014 10:30, Nils Preusker wrote:
To clarify, I've been looking at the various clients in the examples and know that I can simply add an authorization header with a bearer token to the REST requests. However, as far as I understand the examples and the code, all the login flows are based on login forms and redirects. While this is convenient for web applications, I'm missing a simple way for a "headless" client to obtain a token in return for application credentials or an API key. Are you planning to support this kind of use case?


On Sat, Apr 12, 2014 at 7:09 PM, Nils Preusker <> wrote:
Hi all,

I'm trying to figure out how I could use keycloak to secure a REST API that is used bu a pure backend REST client. Do you have any recommendations for that (i.e. API keys)?


keycloak-user mailing list