I ran into this issue when wanting to use the auth code flow without a browser; currently out of the box you can't pass an Accept header to Keycloak and get a challenge response in JSON rather than HTML.

We're passing requests through an API gateway, so I was able to do some funny business to get it to work. Basically the steps are:

1. The user agent submits a POST request to /realms/{realm}/login-actions/authenticate to the gateway with a username and password parameter.

2. The API gateway intercepts the request and first makes a GET request to /realms/{realm}/protocol/openid-connect/auth to grab the authentication form HTML

3. The API gateway digs out the "code" and "execution" query string parameters in the form action

4. The API gateway adds those parameters to the form parameters in the POST request before passing it through to Keycloak.

This results in a redirect response with an auth code for the user agent to follow.

Another approach would be to write an authenticator to supply the challenge response in JSON, which we may ultimately do.

On Tue, Aug 9, 2016, at 04:25 PM, Abelardo Vacca wrote:

I am wondering if it is possible to delegate to authentication to an identity provider, as you would on the Login Page, but using the REST API.

I've posted to stackoverflow a few minutes ago with details and diagrams to try to explain the best I could: http://stackoverflow.com/questions/38859379/is-it-possible-to-authenticate-against-a-keycloaks-identity-provider-openam-w

Please feel free to correct any misconceptions I might have, I am new to all these tools I am posting about (APIMAN, Keycloak and OpenAM)

Thanks,

Abelardo

_______________________________________________

keycloak-user mailing list

keycloak-user@lists.jboss.org

https://lists.jboss.org/mailman/listinfo/keycloak-user

Aikeaguinea

aikeaguinea@xsmail.com

-- 
http://www.fastmail.com - Same, same, but different...