2:19 p.m.
Just to address your concern about Angular vs Java: Angular uses OIDC implicit flow and
the Java adapters use the authorization code flow. You don’t get an access token or id
token back from the login redirect. You get an authorization code which may then be
exchanged for a set of OIDC tokens.
The authorization code flow is something like:
User -> Service : request a secured resource
Service -> User: redirect to Keycloak login page
User -> Keycloak : submit login page
Keycloak -> User : redirect back to Service with this authorization code on the URL
User -> Service: original request + code
Service -> Keycloak : exchange auth code for token(s), store tokens, serve secure
resource
The authorization code flow doesn’t expose the actual tokens to the user and is considered
more secure.
Scott Rossillo
Smartling | Senior Software Engineer
srossillo(a)smartling.com
On Aug 2, 2016, at 8:05 AM, Mohan.Radhakrishnan(a)cognizant.com wrote:
It is working as you describe. I can either get access or ID token.
In either case - response_type=id_token and response_type=id_token%20token – the method
call is the same.
KeycloakPrincipal.getKeycloakSecurityContext().getToken().
getRealmAccess().getRoles().stream().forEach( f -> System.out.println( f ));
It works like that.
So here keycloak.json is used by the filter to validate the ID token by contacting the
the IDP and then also requesting for the access token. Right ?
The doubt I still have is my other
thread(http://lists.jboss.org/pipermail/keycloak-user/2016-July/007064.html
<http://lists.jboss.org/pipermail/keycloak-user/2016-July/007064.html>)
The answer there mentions that when a request comes into the website the application,
the session ID is used to establish who you are.
But that is the ID token. Hope I am mixing two different concerns here.
Thanks,
Mohan
From: Marek Posolda [mailto:mposolda@redhat.com <mailto:mposolda@redhat.com>]
Sent: Monday, August 01, 2016 10:50 PM
To: Radhakrishnan, Mohan (Cognizant) <Mohan.Radhakrishnan(a)cognizant.com
<mailto:Mohan.Radhakrishnan@cognizant.com>>; keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
Subject: Re: [keycloak-user] Access token or ID token
Not sure exactly about all the details of your setup etc. However from the first look, if
you use "response_type=id_token" , then Keycloak will return you just idToken,
but not accessToken at all.
If you want both idToken and accessToken, you need to use value "id_token
token".
So encoded parameter will be something like "response_type=id_token%20token"
Marek
On 01/08/16 11:41, Mohan.Radhakrishnan(a)cognizant.com
<mailto:Mohan.Radhakrishnan@cognizant.com> wrote:
Hi,
My ID token flow and OIDC filter are working. But I am still doubtful
about my implementation. When I used another IDP(IdentifyServer3) the redirect URL issued
from
AngularJS gave me the access token with the ID token embedded in it directly.
But now I am using this code.
AccessToken accessToken =
keycloakPrincipal.getKeycloakSecurityContext().getToken();
URL is this.
http://localhost:8080/auth/realms/Test/protocol/openid-connect/auth?respo...
<http://localhost:8080/auth/realms/Test/protocol/openid-connect/auth?respo...
And
https://keycloak.gitbooks.io/securing-client-applications-guide/content/t...
<https://keycloak.gitbooks.io/securing-client-applications-guide/content/t...
mentions that keycloak.json is required to get the access token in AngularJS.
Am I missing something ? Why is there a difference ?
Thanks,
Mohan
This e-mail and any files transmitted with it are for the sole use of the intended
recipient(s) and may contain confidential and privileged information. If you are not the
intended recipient(s), please reply to the sender and destroy all copies of the original
message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or
copying of this email, and/or any action taken in reliance on the contents of this e-mail
is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail
and other e-mail communications sent to and from Cognizant e-mail addresses may be
monitored.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
This e-mail and any files transmitted with it are for the sole use of the intended
recipient(s) and may contain confidential and privileged information. If you are not the
intended recipient(s), please reply to the sender and destroy all copies of the original
message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or
copying of this email, and/or any action taken in reliance on the contents of this e-mail
is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail
and other e-mail communications sent to and from Cognizant e-mail addresses may be
monitored. _______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>