[keycloak-user] Obtaining access token by username only (no HMI)

[FREIMUELLER Christian]

Dear all,

we have a question regarding Keycloak and obtaining an Access Token.

Our setup is as follows:
-       users are created and maintained in Keycloak
-       resources, policies and permissions are also maintained in Keycloak

Our use case is:
As a third party application, I want to obtain authorization information (e.g. resource- and scope-based permissions) for a specific user by only providing the username to Keycloak, so I can allow or prohibit further actions.

To be more specific:
We have an application exposing an interface the outside world. Any request from an interface-consuming application contains the name of the user in the request header that called an action on this interface (The username in the request is the same as in Keycloak).

The question is now:
How can we obtain an access token for the user (by only knowing the username) that is needed in order to call/use Keycloak's AuthZ client to retrieve authorization information (e.g. via its entitlement API)?

We also thought about using offline tokens, but it might be that a user (available in Keycloak) that is sent within the request might have never logged in to any protected application before - therefore we would not be able to have offline tokens at hand that we could use to request a new access token. Is there a solution to obtain an access token for such a user?

Thanks,
Christian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/ab8b0186/attachment.html