[keycloak-user] Obtaining access token by username only (no HMI)

[Stian Thorgersen]

Pedro - is this possible? Seems like a valid use-case.

On 15 September 2016 at 17:07, FREIMUELLER Christian <
Christian.FREIMUELLER at frequentis.com> wrote:

> Dear all,
>
> we have a question regarding Keycloak and obtaining an Access Token.
>
> Our setup is as follows:
>
>    - users are created and maintained in Keycloak
>    - resources, policies and permissions are also maintained in Keycloak
>
>
> *Our** use case is:*
> As a third party application, I want to obtain authorization information
> (e.g. resource- and scope-based permissions) for a specific user by only
> providing the username to Keycloak, so I can allow or prohibit further
> actions.
>
> *To be more specific: *
> We have an application exposing an interface the outside world. Any
> request from an interface-consuming application contains the name of the
> user in the request header that called an action on this interface (The
> username in the request is the same as in Keycloak).
>
> *The question is now: *
> How can we obtain an access token for the user (by only knowing the
> username) that is needed in order to call/use Keycloak’s AuthZ client to
> retrieve authorization information (e.g. via its entitlement API)?
>
> We also thought about using offline tokens, but it might be that a user
> (available in Keycloak) that is sent within the request might have never
> logged in to any protected application before – therefore we would not be
> able to have offline tokens at hand that we could use to request a new
> access token. Is there a solution to obtain an access token for such a user?
>
> Thanks,
> Christian
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160920/eaa453e0/attachment.html