Hello everyone, I am currently working on an Android project and I'm trying to use KeyCloak as an authentication module. [Disclaimer] I'm still a student so my questions might appear completely off-mark, i managed to get KeyCloak to work by testing every scrap of code i found about the subject on the internet so it might not be the right way to do things, still doing what I need though. (mostly from this post : http://lists.jboss.org/pipermail/keycloak-user/2016-January/004445.html) I previously managed to connect to keycloak by : 1 - using a webview 2 - loading the login page url 3 - get the user to provide login/pwd on the page 4 - get a code back with the previous url (protocol/openid-connect/auth?response_type=code&client_id=android_app&redirect_uri=android://app"); 5 - send this code towards another url in a form : RestTemplate template = new RestTemplate(); template.getMessageConverters().add(new FormHttpMessageConverter()); template.getMessageConverters().add(new MappingJackson2HttpMessageConverter()); MultiValueMap<String, String> form = new LinkedMultiValueMap<>(); form.add("grant_type", "authorization_code"); form.add("client_id", "android_app"); form.add("code", code); form.add("redirect_uri", "android://app"); ResponseEntity<AccessTokenResponse> rssResponse = template.postForEntity( "xxx/auth/realms/{realm}/protocol/openid-connect/token", form, AccessTokenResponse.class); 6 - parse this JWT into what I need. I found that you could use Direct Grant Access to avoid using the "keycloak login page" and I am wondering if I'm doing things right when I use it. I'm actually trying to provide the login and password by an NFC TAG and it can't really work with the usual page. What I'm doing now is : 1 - Create a form containing my password and login (as clear as water) 2 - send it to KeyCloak RestTemplate template = new RestTemplate(); template.getMessageConverters().add(new FormHttpMessageConverter()); template.getMessageConverters().add(new MappingJackson2HttpMessageConverter()); MultiValueMap<String, String> form = new LinkedMultiValueMap<>(); form.add("grant_type", "password"); form.add("client_id", "android_app"); form.add("username", "test"); form.add("password", "test"); form.add("redirect_uri", "android://app"); ResponseEntity<AccessTokenResponse> rssResponse = template.postForEntity( "xxx/auth/realms/{realm}/protocol/openid-connect/token", form, AccessTokenResponse.class); But I'm worried about the login and password in this message. Isn't it vunerable as I'm using HTTP ? Or if I add HTTPS will it be secured enough ? I'm really not familiar with this process so I'm open for any suggestion or explainations. Thanks in advance for reading (sorry for my english if there are mistakes). Best regards, Maxime.