[keycloak-user] Keycloak use-case with Android and custom API
César Augusto Ribeiro
carrbrpoa at gmail.com
Tue Jun 20 15:30:08 EDT 2017
Hello,
I have an APP (Android + NativeScript) and a custom NodeJS API that serves
it.My idea is to let my API handle any authentication/authorization stuff
through Keycloak - with keycloak-nodejs-connect.
So we could have the following flow:
- APP sends user and pass to this custom API;- API calls Keycloak to
authenticate the user with data provided (/token, scope='offline_access' -
to a public Keycloak client);- Keycloak returns a token to the API;- API
returns the access token to the app, which holds it to be used in
subsequent calls (Authorization Bearer ... header).
In my tests through HTTP clients, simulating the flow I would have in the
real case, I get HTTP Status 403 - Forbidden after token expiration.
I have the impression that the refreshing of the token should be
automatically done, but that doesn't seems to be happening.
Small pieces of code:
app.use(session({ secret: '...', resave: false,
saveUninitialized: true, store: memoryStore, }));
var keycloak = new Keycloak({ store: memoryStore,
scope: 'offline_access' }, 'keycloak.json');
app.use(keycloak.middleware());
app.post('/login', function (req, res) {
keycloak.grantManager.obtainDirectly('USER', 'PASS').then(grant => {
keycloak.storeGrant(grant, req, res); ... }, error
=> { ... }); });
app.get('/someProtectedEndpoint', keycloak.protect(), function
(req, res, next) { ... });
Do you see anything wrong in this use-case? Maybe I also need to store the
refresh token in the client and use it to somehow force token refresh?
Maybe it's not a good auth flow at all?
For who wants some SO points: https://stackoverflow.com/q/44656168/643416
Thanks in advance!
More information about the keycloak-user
mailing list