Hi Josh,
I have deployed my WAR(s) by using the keycloak Tomcat and Spring security adapters. The
web apps seems to be running fine with keycloak SSO enabled from browser where I am
redirected to a Login page an then to the original url.
Apart from the browser I also have a use case where the web app REST calls can be made
through Java code directly from other standalone Java applications.
Think as if the web app REST endpoints as a SDK and the consumers can be browser based as
well as non-browser based.
The consumers here have a high degree of trust and have the username/password available.
That way I can think of "Resource Owner Password Credentials grant" to be used.
I read that we can use we can use generic OpenID Connect Resource Provider libraries for
such cases:
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/oidc...
1./realms/{realm-name}/protocol/openid-connect/token
This is the URL endpoint for obtaining a temporary code in the Authorization Code Flow or
for obtaining tokens via the Implicit Flow, Direct Grants, or Client Grants.
2./realms/{realm-name}/protocol/openid-connect/userinfo
This is the URL endpoint for the User Info service described in the OIDC specification.
3./realms/{realm-name}/protocol/openid-connect/logout
This is the URL endpoint for performing logouts.
I can think of using #1 to get the access token then passing this token for all my
subsequent REST calls. I even tested this and found working.
Does this make sense or any other better alternatives?
Regards,
-Nirmal
-----Original Message-----
From: Josh Cain [mailto:jcain@redhat.com]
Sent: Friday, May 5, 2017 6:52 PM
To: Nirmal Kumar <nirmal.kumar(a)impetus.co.in>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] SSO from Java code
Hi Nirmal,
Depending on what protocol you're using, I think Keycloak's got you covered.
I'd check out either the SAML ECP flow[0] or the OIDC Resource Owner Password
Credentials flow[1], both of which are supported by Keycloak.
However, I'd also point out that these are highly uncommon and should only be used in
a small number of cases. Do you mind my asking why you're needing to cut a browser
out of the picture?
[0]
http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v...
[1]
https://tools.ietf.org/html/rfc6749#section-1.3.3
Josh Cain
Senior Software Applications Engineer, RHCSA Red Hat North America jcain(a)redhat.com M: +1
256-452-0150 IRC: jcain
On 05/05/2017 04:26 AM, Nirmal Kumar wrote:
Hi All,
I installed the standalone version of latest keycloak 3.0.0.Final and was pretty much
impressed with the ease of getting SSO for my spring based REST web applications deployed
on Tomcat 7.
I am wondering if I can get the same SSO feature from Java code all without being ever
going to a browser since I want the same from a CLI and no UI/browser.
Thanks,
-Nirmal
________________________________
NOTE: This message may contain information that is confidential, proprietary, privileged
or otherwise protected by law. The message is intended solely for the named addressee. If
received in error, please destroy and notify the sender. Any use of this email is
prohibited when received in error. Impetus does not represent, warrant and/or guarantee,
that the integrity of this communication has been maintained nor that the communication is
free of errors, virus, interception or interference.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
________________________________
NOTE: This message may contain information that is confidential, proprietary, privileged
or otherwise protected by law. The message is intended solely for the named addressee. If
received in error, please destroy and notify the sender. Any use of this email is
prohibited when received in error. Impetus does not represent, warrant and/or guarantee,
that the integrity of this communication has been maintained nor that the communication is
free of errors, virus, interception or interference.