[keycloak-user] Client options for authenticating against Keycloak-secured services

[Stian Thorgersen]

----- Original Message -----
> From: "Guy Davis" <guydavis.ca at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 2 March, 2015 11:38:43 PM
> Subject: [keycloak-user] Client options for authenticating against	Keycloak-secured services
> 
> Good day,
> 
> I'm hoping to summarize the methods for a client Java program to authenticate
> against a Keycloak-secured service endpoint. Please correct any
> misunderstandings I have in the summary below:
> 
> 
>     1. Client program can issue a KC REST API call to get a token and then
>     use it as "Authorization" header of type "Bearer" as per example
>     2. Client program (such as Apache HttpClient lib) can use Basic
>     Authorization if KC secured-deployment has been configured to allow.
>     3. Client program can negotiate a SAML v2.0 SP-initiated SSO session
>     directly against KC if the service is so configured.
>     4. Client program can negotiate a OpenID Connect SSO session directly
>     against KC if the service is so configured.
> 
> I have working Java examples now for #1 and #2, but was wondering if there
> were any Java examples of #3 and #4. Is my understanding of the
> authentication options for clients correct?

1 is a good option and it's just oauth resource owner password credentials. If possible embedding a webview (or using external browser to login) and using the standard login flow is a good option as well.

I'm not sure what you mean about 3 and 4. Both SAML and OpenID Connect are web based flows.

> 
> By the way, I am greatly impressed by the progress being made on the master
> branch around Kerberos/SPNEGO and Identity Brokering. Kudos to the team.
> 
> Thanks in advance,
> Guy
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user