[keycloak-user] SSO from Java code
Nirmal Kumar
nirmal.kumar at impetus.co.in
Fri May 5 11:02:45 EDT 2017
Hi Josh,
I have deployed my WAR(s) by using the keycloak Tomcat and Spring security adapters. The web apps seems to be running fine with keycloak SSO enabled from browser where I am redirected to a Login page an then to the original url.
Apart from the browser I also have a use case where the web app REST calls can be made through Java code directly from other standalone Java applications.
Think as if the web app REST endpoints as a SDK and the consumers can be browser based as well as non-browser based.
The consumers here have a high degree of trust and have the username/password available.
That way I can think of "Resource Owner Password Credentials grant" to be used.
I read that we can use we can use generic OpenID Connect Resource Provider libraries for such cases:
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/oidc-generic.html
1./realms/{realm-name}/protocol/openid-connect/token
This is the URL endpoint for obtaining a temporary code in the Authorization Code Flow or for obtaining tokens via the Implicit Flow, Direct Grants, or Client Grants.
2./realms/{realm-name}/protocol/openid-connect/userinfo
This is the URL endpoint for the User Info service described in the OIDC specification.
3./realms/{realm-name}/protocol/openid-connect/logout
This is the URL endpoint for performing logouts.
I can think of using #1 to get the access token then passing this token for all my subsequent REST calls. I even tested this and found working.
Does this make sense or any other better alternatives?
Regards,
-Nirmal
-----Original Message-----
From: Josh Cain [mailto:jcain at redhat.com]
Sent: Friday, May 5, 2017 6:52 PM
To: Nirmal Kumar <nirmal.kumar at impetus.co.in>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] SSO from Java code
Hi Nirmal,
Depending on what protocol you're using, I think Keycloak's got you covered. I'd check out either the SAML ECP flow[0] or the OIDC Resource Owner Password Credentials flow[1], both of which are supported by Keycloak.
However, I'd also point out that these are highly uncommon and should only be used in a small number of cases. Do you mind my asking why you're needing to cut a browser out of the picture?
[0]
http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v2.0.html
[1] https://tools.ietf.org/html/rfc6749#section-1.3.3
Josh Cain
Senior Software Applications Engineer, RHCSA Red Hat North America jcain at redhat.com M: +1 256-452-0150 IRC: jcain
On 05/05/2017 04:26 AM, Nirmal Kumar wrote:
> Hi All,
>
> I installed the standalone version of latest keycloak 3.0.0.Final and was pretty much impressed with the ease of getting SSO for my spring based REST web applications deployed on Tomcat 7.
>
> I am wondering if I can get the same SSO feature from Java code all without being ever going to a browser since I want the same from a CLI and no UI/browser.
>
> Thanks,
> -Nirmal
>
>
> ________________________________
>
>
>
>
>
>
> NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
________________________________
NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.
More information about the keycloak-user
mailing list