2:12 a.m.
Keycloak handles well this scenario. Adapters are used on both REST
resource side, but also on UI application side (application which wants
to redirect to Keycloak login and exchange code for token).
One of Keycloak points is, that you don't need to code anything in order
to handle OIDC / OAuth2 flow. The server part of specification is
implemented by Keycloak auth-server and the client part of specification
is implemented by our adapters. You don't need to care about redirection
to keycloak login screen or to exchange code for token etc. Adapters is
doing all of this for you. You can also enable "consent" for your client
in which case, the user's consent screen will be displayed during
authentication by keycloak server. Again, no need to code anything custom.
When you want to send request to REST resource, you need to add
accessToken to "Authorization: Bearer" header, which will authenticate
the request.
Take a look at our demo examples (customer-portal, product-portal,
oauth-client) for more details.
Marek
On 20/11/15 13:58, Pavel Maslov wrote:
Hey Marek,
As far as I understood, adapters are used on the Resourse side (e.g.
the API you would like to secure with Keycloak).
Here, I am calling the API (resource) from a 3rd party application
(client). First it needs a user's consent to use the API on his
behalf. Then it gets the auth_code, which is then used to obtain the
access token. Then the client is free to utilize the API on behalf of
the user.
Does the Keycloak auth workflow differ slightly from the standard
OAuth2.0 procedure? Or am I missing something?
Thanks.
Regards,
Pavel Maslov, MSc
On Fri, Nov 20, 2015 at 1:41 PM, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
On 20/11/15 12:18, Pavel Maslov wrote:
> Hi everyone,
>
>
> >From the user documentation I could not find the authorization grant url (a
la github's
> https://github.com/login/oauth/authorize) and Get token url (a la
> https://github.com/login/oauth/access_token).
>
> I presume it's
>
{keycloak_base}/realms/{realm-name}/protocol/openid-connect/auth?client_id={client_name}&response_type=code
>
<http://%7Bkeycloak_base%7D/realms/%7Brealm-name%7D/protocol/openid-connect/auth?client_id=%7Bclient_name%7D&response_type=code>
and
> {keycloak_base}/realms/{realm-name}/protocol/openid-connect/token
>
<http://%7Bkeycloak_base%7D/realms/%7Brealm-name%7D/protocol/openid-connect/token>
respectively,
> but I am not sure.
Yes, your URLs are correct. However if you want to use the default
Authorization Code Grant flow and browser applications, you can
just use our adapters. You don't even need to know the
authorization grant url and token URL as adapters handle all the
redirections and exchanges for you.
I suggest to take a look at our examples .
And here is the docs for adapters:
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html
Marek
>
> I would like to follow the standard OAuth2.0 workflow:
>
> 1. Get Auth grant (GET on https://github.com/login/oauth/authorize)
> 2. Get access token in exchange for the auth grant code (POST on
> https://github.com/login/oauth/access_token)
> 3. Use the resource using the access token gotten in step 2.
>
> Please, correct me if I am wrong.
> Thanks.
>
> Regards,
> Pavel Maslov, MSc
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user