12:48 a.m.
Hi,
How can I obtain a bearer token from keycloak without using the direct
access grant (
http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-acce...
).
I have configured a SAML Identity Broker in Keycloak which handles the
login for my realm. As a result I do not have a username/password
combination to POST it to:
/{keycloak-root}/realms/{realm-name}/protocol/openid-connect/token
How would I obtain a bearer token in this situation?
Kind regards,
Ton
1:15 a.m.
After finish of OIDC authentication, Keycloak will redirect to your
application with the "code" parameter. Keycloak will always do this, it
doesn't matter if you authenticated through SAML identity broker or
username/password form or any other method. Then you theoretically need
to exchange the code for access-token in backchannel request, however as
long as you use our adapters, you don't need to care about it as adapter
will do it for you.
We have examples (using adapters) where you can also see how is bearer
access token retrieved and then used for additional REST calls to REST
endpoints secured by bearer token. See the demo example and the
"customer-portal" and "product-portal" applications.
Marek
On 08/12/15 16:48, Ton Swieb wrote:
Hi,
How can I obtain a bearer token from keycloak without using the direct
access grant
(http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-acce...).
I have configured a SAML Identity Broker in Keycloak which handles the
login for my realm. As a result I do not have a username/password
combination to POST it to:
|/{keycloak-root}/realms/{realm-name}/protocol/openid-connect/toke|n
How would I obtain a bearer token in this situation?
Kind regards,
Ton
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:55 a.m.
Hi Marek,
Thank you for your answer. I understand that I should use an adapter, but
it is unclear to me how that will work in my situation.
I will try to clarify.
I am using JBoss Apiman which uses JBoss Keycloak to manage its realm. Both
JBoss Apiman and JBoss Keycloak run on the same Wildfly application server.
Apiman runs on wildfly so my assumption is that an adapter is already used
to secure the Apiman GUI and to do the back channelling.
But next to the Apiman GUI there is a Apiman gateway which uses a Keycloak
OAuth plugin to enforce a security policy on managed api calls. The gateway
itself is not secured by OAuth and is not known as a client in a keycloak
realm. But the Keycloak OAuth plugin does expect a bearer token.
I am unsure where I could apply an adapter to acomplish this and which
adapter it should be.
My setup is similair to the one discussed here:
http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication...
with the difference that I use a third party login. So I cannot use direct
access grants.
Regards,
Ton
2015-12-08 17:15 GMT+01:00 Marek Posolda <mposolda(a)redhat.com>:
After finish of OIDC authentication, Keycloak will redirect to your
application with the "code" parameter. Keycloak will always do this, it
doesn't matter if you authenticated through SAML identity broker or
username/password form or any other method. Then you theoretically need to
exchange the code for access-token in backchannel request, however as long
as you use our adapters, you don't need to care about it as adapter will do
it for you.
We have examples (using adapters) where you can also see how is bearer
access token retrieved and then used for additional REST calls to REST
endpoints secured by bearer token. See the demo example and the
"customer-portal" and "product-portal" applications.
Marek
On 08/12/15 16:48, Ton Swieb wrote:
Hi,
How can I obtain a bearer token from keycloak without using the direct
access grant (
http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-acce...
).
I have configured a SAML Identity Broker in Keycloak which handles the
login for my realm. As a result I do not have a username/password
combination to POST it to:
/{keycloak-root}/realms/{realm-name}/protocol/openid-connect/token
How would I obtain a bearer token in this situation?
Kind regards,
Ton
_______________________________________________
keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
12:47 a.m.
Hi Marek,
I got it working using the JS-Console example which uses the javascript
adapter.
I extended the JS-Console example with a function that does something like:
var client = new XMLHttpRequest();
client.open("GET", url, false);
client.setRequestHeader("Accept", "application/json");
client.setRequestHeader("Authorization", "Bearer " +
keycloak.token);
client.send();
The keycloak.token is available after a call to keycloak.login()
Thanks for pointing me in that direction.
Regards,
Ton
2015-12-08 17:55 GMT+01:00 Ton Swieb <ton(a)finalist.nl>:
Hi Marek,
Thank you for your answer. I understand that I should use an adapter, but
it is unclear to me how that will work in my situation.
I will try to clarify.
I am using JBoss Apiman which uses JBoss Keycloak to manage its realm.
Both JBoss Apiman and JBoss Keycloak run on the same Wildfly application
server. Apiman runs on wildfly so my assumption is that an adapter is
already used to secure the Apiman GUI and to do the back channelling.
But next to the Apiman GUI there is a Apiman gateway which uses a Keycloak
OAuth plugin to enforce a security policy on managed api calls. The gateway
itself is not secured by OAuth and is not known as a client in a keycloak
realm. But the Keycloak OAuth plugin does expect a bearer token.
I am unsure where I could apply an adapter to acomplish this and which
adapter it should be.
My setup is similair to the one discussed here:
http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication...
with the difference that I use a third party login. So I cannot use direct
access grants.
Regards,
Ton
2015-12-08 17:15 GMT+01:00 Marek Posolda <mposolda(a)redhat.com>:
> After finish of OIDC authentication, Keycloak will redirect to your
> application with the "code" parameter. Keycloak will always do this, it
> doesn't matter if you authenticated through SAML identity broker or
> username/password form or any other method. Then you theoretically need to
> exchange the code for access-token in backchannel request, however as long
> as you use our adapters, you don't need to care about it as adapter will do
> it for you.
>
> We have examples (using adapters) where you can also see how is bearer
> access token retrieved and then used for additional REST calls to REST
> endpoints secured by bearer token. See the demo example and the
> "customer-portal" and "product-portal" applications.
>
> Marek
>
> On 08/12/15 16:48, Ton Swieb wrote:
>
> Hi,
>
> How can I obtain a bearer token from keycloak without using the direct
> access grant (
>
http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-acce...
> ).
>
> I have configured a SAML Identity Broker in Keycloak which handles the
> login for my realm. As a result I do not have a username/password
> combination to POST it to:
>
> /{keycloak-root}/realms/{realm-name}/protocol/openid-connect/token
>
> How would I obtain a bearer token in this situation?
>
> Kind regards,
>
> Ton
>
>
> _______________________________________________
> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
3073
days inactive
3074
days old
3 comments
2 participants
participants (2)
-
Marek Posolda -
Ton Swieb