12:51 p.m.
Hi,
We are trying to setup a working login infrastructure as follows: an
application which we are trying to login through Keycloak.
The flow is as follows: we get to the application, which redirects us to
Keycloak, which should log the user and give correct access rights. This
works, Keycloak is putting the correct cookies (KEYCLOAK_IDENTITY,
KEYCLOAK_SESSION) and that redirects us back to the application.
The problem that we have is that we are not able to identify the user
logged in to KeyCloak. This is doable by the access_token, if we would
work with REST calls, but we only have the KEYCLOAK_IDENTITY cookie.
We are trying to somehow get the openid token with this
url /auth/realms/demo/protocol/openid-connect/token with the following
URL Encoded params:
- grant_type: authorization_code
- client_id: *client-id*
- client_secret: *secret*
- code: ???what code should we provide here??? (we tried adding the code
seen from browser requests but that throws invalid_code error)
The actual problem is that there is no available example in the
documentation (or at least we didn't find any) that shows how to setup a
login flow without access_token request.
Thanks,
Alin
2:38 a.m.
Hi,
Keycloak is using OpenID Connect / OAuth2 protocol. Once you
authenticate in Keycloak, then Keycloak redirects to the application
with the "code" and "state" parameter. Then your application is
supposed
to use this code in the code-to-token request (request needs to be sent
to the endpoint you mentioned).
The important thing is, that if you use our built-in adapters, you don't
need to care about any protocol details at all. Adapter will
automatically send the request to the token endpoint and exchange the
code for the token. Similarly it automatically handles token refreshing,
logouts etc.
We have examples on how to use our adapters. You can take a look at
them. You need to care about exchanging code manually etc just in case
that you can't use our adapters for some reason. But using our adapters
(or at least some other existing 3rd party OIDC/OAuth2 adapter) is
preferred way over writing the whole OIDC/OAuth2 workflow by yourself as
that's quite error prone.
Marek
On 22/04/17 19:51, Tech wrote:
Hi,
We are trying to setup a working login infrastructure as follows: an
application which we are trying to login through Keycloak.
The flow is as follows: we get to the application, which redirects us to
Keycloak, which should log the user and give correct access rights. This
works, Keycloak is putting the correct cookies (KEYCLOAK_IDENTITY,
KEYCLOAK_SESSION) and that redirects us back to the application.
The problem that we have is that we are not able to identify the user
logged in to KeyCloak. This is doable by the access_token, if we would
work with REST calls, but we only have the KEYCLOAK_IDENTITY cookie.
We are trying to somehow get the openid token with this
url /auth/realms/demo/protocol/openid-connect/token with the following
URL Encoded params:
- grant_type: authorization_code
- client_id: *client-id*
- client_secret: *secret*
- code: ???what code should we provide here??? (we tried adding the code
seen from browser requests but that throws invalid_code error)
The actual problem is that there is no available example in the
documentation (or at least we didn't find any) that shows how to setup a
login flow without access_token request.
Thanks,
Alin
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2814
days inactive
2816
days old
1 comments
2 participants
participants (2)
-
Marek Posolda -
Tech