[keycloak-user] Using Direct Grant Access in Android app
Maxime Cadoret
Maxime.Cadoret at insa-rennes.fr
Thu Sep 28 09:03:24 EDT 2017
Hello everyone,
I am currently working on an Android project and I'm trying to use KeyCloak as an authentication module.
[Disclaimer] I'm still a student so my questions might appear completely off-mark, i managed to get KeyCloak to work by testing every scrap of code i found about the subject on the internet so it might not be the right way to do things, still doing what I need though.
(mostly from this post : http://lists.jboss.org/pipermail/keycloak-user/2016-January/004445.html)
I previously managed to connect to keycloak by :
1 - using a webview
2 - loading the login page url
3 - get the user to provide login/pwd on the page
4 - get a code back with the previous url (protocol/openid-connect/auth?response_type=code&client_id=android_app&redirect_uri=android://app");
5 - send this code towards another url in a form :
RestTemplate template = new RestTemplate();
template.getMessageConverters().add(new FormHttpMessageConverter());
template.getMessageConverters().add(new MappingJackson2HttpMessageConverter());
MultiValueMap<String, String> form = new LinkedMultiValueMap<>();
form.add("grant_type", "authorization_code");
form.add("client_id", "android_app");
form.add("code", code);
form.add("redirect_uri", "android://app");
ResponseEntity<AccessTokenResponse> rssResponse = template.postForEntity(
"xxx/auth/realms/{realm}/protocol/openid-connect/token", form,
AccessTokenResponse.class);
6 - parse this JWT into what I need.
I found that you could use Direct Grant Access to avoid using the "keycloak login page" and I am wondering if I'm doing things right when I use it.
I'm actually trying to provide the login and password by an NFC TAG and it can't really work with the usual page.
What I'm doing now is :
1 - Create a form containing my password and login (as clear as water)
2 - send it to KeyCloak
RestTemplate template = new RestTemplate();
template.getMessageConverters().add(new FormHttpMessageConverter());
template.getMessageConverters().add(new MappingJackson2HttpMessageConverter());
MultiValueMap<String, String> form = new LinkedMultiValueMap<>();
form.add("grant_type", "password");
form.add("client_id", "android_app");
form.add("username", "test");
form.add("password", "test");
form.add("redirect_uri", "android://app");
ResponseEntity<AccessTokenResponse> rssResponse = template.postForEntity(
"xxx/auth/realms/{realm}/protocol/openid-connect/token", form,
AccessTokenResponse.class);
But I'm worried about the login and password in this message.
Isn't it vunerable as I'm using HTTP ? Or if I add HTTPS will it be secured enough ?
I'm really not familiar with this process so I'm open for any suggestion or explainations.
Thanks in advance for reading (sorry for my english if there are mistakes).
Best regards,
Maxime.
More information about the keycloak-user
mailing list