[keycloak-user] Getting Access token over REST API
Stian Thorgersen
sthorger at redhat.com
Mon Feb 6 02:37:27 EST 2017
On 3 February 2017 at 18:50, akash agrawal <akash_agrawal at yahoo.co.uk>
wrote:
> Thanks for replying Stian. Our APIs are external APIs and need to provide
> services including authentication. Users of these APIs/services will be
> external applications, external vendors APIs, mobile apps. The
> authentication needs to happen over Auth service/APIs as well.
>
External applications and external vendors should use a service account and
client credentials grant. Mobile apps should use the authorization code
flow with the login screen.
>
> The link you shared has end points. Can they be used to get tokens in a
> production grade setting?
>
Of course, we don't have endpoints that are not aimed at production
deployments.
>
> Additionally, Why do say, getting tokens over REST end point is wrong way?
>
Getting tokens over REST endpoints for regular users is not the right way
for many reasons. It's not SSO, less secure, exposes authentication details
as well as credentials to the applications, etc, etc..
>
> Thanks.
> Akash
>
> ------------------------------
> *From:* Stian Thorgersen <sthorger at redhat.com>
> *To:* akash agrawal <akash_agrawal at yahoo.co.uk>
> *Cc:* "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> *Sent:* Friday, February 3, 2017 12:53 AM
> *Subject:* Re: [keycloak-user] Getting Access token over REST API
>
> I would strongly suggest you reconsider and use the Keycloak login as
> there are many many reasons why that is a better approach. I'm not going to
> list it again, because I've done that to many times to count. The login
> page is highly customizable so you can make it look exactly how you like.
> Any specific reasons why this is not an option?
>
> If you still insist on doing it the "wrong way" then use the OAuth2
> resource owner credential grant instead, take a look at
> https://keycloak.gitbooks.io/securing-client-applications-guide/content/
> topics/oidc/oidc-generic.html for more details.
>
> On 2 February 2017 at 00:00, akash agrawal <akash_agrawal at yahoo.co.uk>
> wrote:
>
> Hi,
> I am evaluating Keycloak for our Identity management needs. We have a
> collection of REST APIs which we want to secure using OAuth/OpenIdConnect.
> I am looking over Keycloak documentation to determine if a client
> application can call a REST endpoint (production grade) to get the access
> token. Are there other alternatives to get access token? Using KeyCloak
> user interface to login and get an access token is not an option.
> Appreciate your help. Thanks.
> Akash
> ______________________________ _________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/ mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>
>
More information about the keycloak-user
mailing list