[keycloak-user] [OAuth2.0] Authorization grant & Get token urls
Stian Thorgersen
sthorger at redhat.com
Mon Nov 23 04:53:53 EST 2015
For non-UI you have two options:
1. Use a browser to retrieve the token. Obviously only works for CLI's on a
workstation where a browser is available. Try the customer-app-cli from our
demo/examples which does this.
2. Resource Owner Password Credentials from Oauth2 (we refer to it as
direct grant in our docs, but it's the same protocol)
We currently don't have any libs for 2, but it's pretty simple to implement
yourself, or you can use any other OAuth2 RP lib.
On 23 November 2015 at 09:38, Pavel Maslov <pavel.masloff at gmail.com> wrote:
> From your message I don't see how you can use Keycloak adapters for a Java
> client application (no UI) to access an API secured with Keycloak. The API
> resource is secured with Keycloak and is using Keycloak adapter. The client
> app should invoke those two URLs (or just the second one for direct
> grants). I can see you only have a Javascript library (adapter) for this
> purpose.
>
> Regards,
> Pavel Maslov, MS
> oPAC fellow at Cosylab
>
> On Mon, Nov 23, 2015 at 9:12 AM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> Keycloak handles well this scenario. Adapters are used on both REST
>> resource side, but also on UI application side (application which wants to
>> redirect to Keycloak login and exchange code for token).
>>
>> One of Keycloak points is, that you don't need to code anything in order
>> to handle OIDC / OAuth2 flow. The server part of specification is
>> implemented by Keycloak auth-server and the client part of specification is
>> implemented by our adapters. You don't need to care about redirection to
>> keycloak login screen or to exchange code for token etc. Adapters is doing
>> all of this for you. You can also enable "consent" for your client in which
>> case, the user's consent screen will be displayed during authentication by
>> keycloak server. Again, no need to code anything custom.
>>
>> When you want to send request to REST resource, you need to add
>> accessToken to "Authorization: Bearer" header, which will authenticate the
>> request.
>>
>> Take a look at our demo examples (customer-portal, product-portal,
>> oauth-client) for more details.
>>
>> Marek
>>
>>
>> On 20/11/15 13:58, Pavel Maslov wrote:
>>
>> Hey Marek,
>>
>>
>> As far as I understood, adapters are used on the Resourse side (e.g. the
>> API you would like to secure with Keycloak).
>> Here, I am calling the API (resource) from a 3rd party application
>> (client). First it needs a user's consent to use the API on his behalf.
>> Then it gets the auth_code, which is then used to obtain the access token.
>> Then the client is free to utilize the API on behalf of the user.
>>
>> Does the Keycloak auth workflow differ slightly from the standard
>> OAuth2.0 procedure? Or am I missing something?
>> Thanks.
>>
>>
>> Regards,
>> Pavel Maslov, MSc
>>
>> On Fri, Nov 20, 2015 at 1:41 PM, Marek Posolda <mposolda at redhat.com>
>> wrote:
>>
>>> On 20/11/15 12:18, Pavel Maslov wrote:
>>>
>>> Hi everyone,
>>>
>>>
>>> >From the user documentation I could not find the authorization grant
>>> url (a la github's https://github.com/login/oauth/authorize) and Get
>>> token url (a la <https://github.com/login/oauth/access_token>
>>> https://github.com/login/oauth/access_token).
>>>
>>> I presume it's
>>> {keycloak_base}/realms/{realm-name}/protocol/openid-connect/auth?client_id={client_name}&response_type=code
>>> <http://%7Bkeycloak_base%7D/realms/%7Brealm-name%7D/protocol/openid-connect/auth?client_id=%7Bclient_name%7D&response_type=code> and
>>> {keycloak_base}/realms/{realm-name}/protocol/openid-connect/token
>>> <http://%7Bkeycloak_base%7D/realms/%7Brealm-name%7D/protocol/openid-connect/token> respectively,
>>> but I am not sure.
>>>
>>> Yes, your URLs are correct. However if you want to use the default
>>> Authorization Code Grant flow and browser applications, you can just use
>>> our adapters. You don't even need to know the authorization grant url and
>>> token URL as adapters handle all the redirections and exchanges for you.
>>>
>>> I suggest to take a look at our examples .
>>>
>>> And here is the docs for adapters:
>>> <http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html>
>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html
>>>
>>> Marek
>>>
>>>
>>> I would like to follow the standard OAuth2.0 workflow:
>>>
>>> 1. Get Auth grant (GET on <https://github.com/login/oauth/authorize>
>>> https://github.com/login/oauth/authorize)
>>> 2. Get access token in exchange for the auth grant code (POST on
>>> <https://github.com/login/oauth/access_token>
>>> https://github.com/login/oauth/access_token)
>>> 3. Use the resource using the access token gotten in step 2.
>>>
>>> Please, correct me if I am wrong.
>>> Thanks.
>>>
>>> Regards,
>>> Pavel Maslov, MSc
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151123/5443716b/attachment.html
More information about the keycloak-user
mailing list