[keycloak-dev] Direct Grant API for Confidential Clients

Lance Ball lball at redhat.com
Tue May 17 11:25:44 EDT 2016


Marek

Thanks for that clarification - this helps a lot. It helps to read the
spec. :)

Resource Owner Password Credentials Grant -
https://tools.ietf.org/html/rfc6749#section-4.3
Client Credentials Grant - https://tools.ietf.org/html/rfc6749#section-4.4

Lance

On Tue, May 17, 2016 at 4:36 AM, Marek Posolda <mposolda at redhat.com> wrote:

> Hi Lance,
>
> if you specify the "grant_type=password" you are using Direct access
> grants (it's called "Resource Owner Password credentials grant" in OAuth2
> specification) documented here [1]
>
> if you specify the "grant_type=client_credentials" you are using Service
> accounts and you are obtaining token on behalf of client (it's called
> "Client Credentials grant" in OAuth2 specification) and it's documented
> here [2]
>
> [1]
> http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html
> [2]
> http://keycloak.github.io/docs/userguide/keycloak-server/html/service-accounts.html
>
> Marek
>
>
> On 16/05/16 23:19, Lance Ball wrote:
>
> Hi All
>
> I've been updating the keycloak-nodejs-auth-utils module to keep up with
> recent changes in Keycloak, and one thing I've noticed seems to contradict
> what's written in the documentation. Can anyone provide clarity on this for
> me?
>
> In the docs for Direct Access Grants[1] it says, "For confidential
> client's, you must create a Basic Auth Authorization header that contains
> the client_id and client secret. And pass in the form parameters for
> username and for each user credential. For example:"
>
>     POST /auth/realms/demo/protocol/openid-connect/token
>     Authorization: Basic atasdf023l2312023
>     Content-Type: application/x-www-form-urlencoded
>
>     username=bburke&password=geheim&grant_type=password
>
> (That's copied and pasted into GMail. I hope the formatting is OK).
>
> But in the keycloak-nodejs-auth-utils module, I am able to obtain a grant
> without including the username and password. Additionally, I must specify
> 'client_credentials' as the grant_type [2].
>
> Do I misunderstand what is going on here or is the documentation out of
> date?
>
> Thanks
> Lance
>
> [1]
> http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html
> [2]
> https://github.com/keycloak/keycloak-nodejs-auth-utils/blob/master/lib/grant-manager.js#L71-L79
>
>
> _______________________________________________
> keycloak-dev mailing listkeycloak-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160517/63f07408/attachment-0001.html 


More information about the keycloak-dev mailing list