[Apiman-user] Question about OAuth2 (apiman & keycloak)

Marc Savy marc.savy at redhat.com
Wed Sep 9 05:35:55 EDT 2015 

> and to decode token based 64 to a more human readable
>
> http://jwt.io/

Ah, that's very cool! Thanks for that, didn't know about it. Maybe I
should integrate a reference to it in the blog.

On 09/09/2015 08:39, Charles Moulliard wrote:
> Thx for the info. To be complete, these links are also very valuable to
> understand the JWT (Token issued by Keycloak)
>
> https://scotch.io/tutorials/the-anatomy-of-a-json-web-token
> https://developer.atlassian.com/static/connect/docs/latest/concepts/understanding-jwt.html
>
>
> and to decode token based 64 to a more human readable
>
> http://jwt.io/
>
>
> On 07/09/15 20:30, Marc Savy wrote:
>> This is using openid-connect, which is layered on top of OAuth2 and
>> provides a bunch of useful standardised fields for authentication
>> purposes (to verify that the caller is who they claim to be; as
>> opposed to authorization, which is talking more about what you are
>> allowed to do).
>>
>> There are a couple of good StackExchange threads which will be helpful:
>>  - http://security.stackexchange.com/a/44614
>>  - http://security.stackexchange.com/a/47136
>>
>> On 07/09/2015 17:18, Charles Moulliard wrote:
>>> Hi,
>>>
>>> This blog post details how to use Oauth2 between APiman & Keycloak
>>> ("http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html").
>>>
>>>
>>> I have some questions to ask you about where these requests are related
>>> to OAuth2 spec/protocol
>>>
>>> When we issue the request to get an access token for the client_id =
>>> apiman "curl -X POST
>>> http://127.0.0.1:8080/auth/realms/stottie/protocol/openid-connect/token
>>> -H "Content-Type: application/x-www-form-urlencoded" -d
>>> "username=rincewind" -d 'password=apiman' -d 'grant_type=password' -d
>>> 'client_id=apiman'", does this request corresponds to Oauth 2 process
>>> where the client requests an access token to the authorization server (=
>>> keycloak) using as grant-type = password
>>> (http://oauthlib.readthedocs.org/en/latest/oauth2/grants/password.html)
>>> ?
>>>
>>> Is this request also issued by the "Apiman OAuth2 Policy" when a HTTP
>>> Client will call the gateway to access a HTTP endpoint secured by the
>>> Api gateway ?
>>>
>>> Regards,
>>>
>>> Charles
>>> _______________________________________________
>>> Apiman-user mailing list
>>> Apiman-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>>
>>
>

More information about the Apiman-user mailing list