[keycloak-user] Is it possible to authenticate against a Keycloak's Identity Provider (OpenAM) without using the Login screen?
Aikeaguinea
aikeaguinea at xsmail.com
Wed Aug 10 10:21:54 EDT 2016
I ran into this issue when wanting to use the auth code flow without a
browser; currently out of the box you can't pass an Accept header to
Keycloak and get a challenge response in JSON rather than HTML.
We're passing requests through an API gateway, so I was able to do some
funny business to get it to work. Basically the steps are:
1. The user agent submits a POST request to /realms/{realm}/login-
actions/authenticate to the gateway with a username and password
parameter.
2. The API gateway intercepts the request and first makes a GET request
to /realms/{realm}/protocol/openid-connect/auth to grab the
authentication form HTML
3. The API gateway digs out the "code" and "execution" query string
parameters in the form action
4. The API gateway adds those parameters to the form parameters in the
POST request before passing it through to Keycloak.
This results in a redirect response with an auth code for the user agent
to follow.
Another approach would be to write an authenticator to supply the
challenge response in JSON, which we may ultimately do.
On Tue, Aug 9, 2016, at 04:25 PM, Abelardo Vacca wrote:
>
> I am wondering if it is possible to delegate to authentication to an
> identity provider, as you would on the Login Page, but using the
> REST API.
> I've posted to stackoverflow a few minutes ago with details and
> diagrams to try to explain the best I could:
> http://stackoverflow.com/questions/38859379/is-it-possible-to-authenticate-against-a-keycloaks-identity-provider-openam-w
>
> Please feel free to correct any misconceptions I might have, I am new
> to all these tools I am posting about (APIMAN, Keycloak and OpenAM)
>
> Thanks,
> Abelardo
> _________________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Aikeaguinea
aikeaguinea at xsmail.com
--
http://www.fastmail.com - Same, same, but different...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/ff81eec2/attachment.html
More information about the keycloak-user
mailing list