Is it possible to authenticate against a Keycloak's Identity Provider (OpenAM) without using the Login screen?
10:25 p.m.
I am wondering if it is possible to delegate to authentication to an identity provider, as
you would on the Login Page, but using the REST API. I've posted to stackoverflow a
few minutes ago with details and diagrams to try to explain the best I could:
http://stackoverflow.com/questions/38859379/is-it-possible-to-authenticat...
Please feel free to correct any misconceptions I might have, I am new to all these tools I
am posting about (APIMAN, Keycloak and OpenAM)
Thanks,Abelardo
11:43 a.m.
- If you want to skip just Keycloak login page, then you can possibly
set the "Authenticate by default" in the Keycloak admin console on the
OpenAM identity provider screen. This means that Keycloak won't try to
show the login screen, but immediatelly redirect to OpenAM login screen.
However in case that you're not yet logged to OpenAM, you will still see
the OpenAM login screen. So this is likely not sufficient for you?
-Option 2) Probably better for non-browser usecase, but more complex.
Keycloak has support for "direct access grants" aka. OAuth2 "Resource
Owner password credentials grant". See the OAuth2 specs for details.
So you can implement your own Authenticator, which will re-send the
provided username+password to OpenAM and then if it success, the
Authenticator itself will create user to KEycloak DB (if doesn't yet
exists). You will need to create new Authentication flow and put your
Authenticator here and configure as "Direct Grant" authenticator in
Keycloak admin console. See Authentication SPI docs for more details.
This is possible just if OpenAM itself also has support for "Resource
owner password credentials grant" or something like that, which will
allow to send just REST request for validate username+password .
Maybe we should support this OOTB as it looks there are more people
asking for it...
Marek
On 09/08/16 22:25, Abelardo Vacca wrote:
I am wondering if it is possible to delegate to authentication to an
identity provider, as you would on the Login Page, but using the REST API.
I've posted to stackoverflow a few minutes ago with details and
diagrams to try to explain the best I could:
http://stackoverflow.com/questions/38859379/is-it-possible-to-authenticat...
Please feel free to correct any misconceptions I might have, I am new
to all these tools I am posting about (APIMAN, Keycloak and OpenAM)
Thanks,
Abelardo
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:21 p.m.
I ran into this issue when wanting to use the auth code flow without a
browser; currently out of the box you can't pass an Accept header to
Keycloak and get a challenge response in JSON rather than HTML.
We're passing requests through an API gateway, so I was able to do some
funny business to get it to work. Basically the steps are:
1. The user agent submits a POST request to /realms/{realm}/login-
actions/authenticate to the gateway with a username and password
parameter.
2. The API gateway intercepts the request and first makes a GET request
to /realms/{realm}/protocol/openid-connect/auth to grab the
authentication form HTML
3. The API gateway digs out the "code" and "execution" query string
parameters in the form action
4. The API gateway adds those parameters to the form parameters in the
POST request before passing it through to Keycloak.
This results in a redirect response with an auth code for the user agent
to follow.
Another approach would be to write an authenticator to supply the
challenge response in JSON, which we may ultimately do.
On Tue, Aug 9, 2016, at 04:25 PM, Abelardo Vacca wrote:
I am wondering if it is possible to delegate to authentication to an
identity provider, as you would on the Login Page, but using the
REST API.
I've posted to stackoverflow a few minutes ago with details and
diagrams to try to explain the best I could:
http://stackoverflow.com/questions/38859379/is-it-possible-to-authenticat...
Please feel free to correct any misconceptions I might have, I am new
to all these tools I am posting about (APIMAN, Keycloak and OpenAM)
Thanks,
Abelardo
_________________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Aikeaguinea
aikeaguinea(a)xsmail.com
--
http://www.fastmail.com - Same, same, but different...
3090
days inactive
3091
days old
2 comments
3 participants
participants (3)
-
Abelardo Vacca -
Aikeaguinea -
Marek Posolda