[keycloak-user] How to get access access token with SPNEGOAuthenticator?

Fri Dec 7 02:35:58 EST 2018

On 06/12/2018 11:33, ola rob wrote:
> Thanks Marek! Yes, we are using direct grant flow. Does this approach 
> also need browser redirection? If yes, then this may not help us as we 
> are looking for just an API to pass spnego token and get the user 
> authenticated resulting in a access/refresh token. The challenge 
> negotiation with browser is being handled internally by us.

No, this flow doesn't need browser redirection. That's why I mentioned 
that you may need to develop your own Authenticator. The default 
SpnegoAuthenticator we have is for the browser flow, so you may need 
something similar, which will be able to just extract SPNEGO token and 
"authenticate" it. I think you may be able to re-use mot of the parts 
done in the SpnegoAuthenticator, but not everything.

For inspiration, I suggest to take a look at the authenticators used by 
the Direct Grant flow (ValidateUsername, ValidatePassword, ValidateOTP) 
and compare them with the authenticators for the "browser" flow. I 
believe this may give you the inspiration.

Marek

>
> Thanks!
>
> On Wed, Dec 5, 2018 at 1:42 PM Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     On 25/11/2018 05:11, ola rob wrote:
>     > Hi,
>     >
>     > For some legacy reasons, we are using keycloak API/services for
>     > authentication but not redirecting our application to keycloak.
>     We are able
>     > to get access token and refresh token
>     (AccessTokenResponse.class) when we
>     > authenticate using login API by sending username and password.
>     But we are
>     > unable to get them when authenticating using spnego token.
>     > The SPNEGOAuthenticator class doesn't return any access token after
>     > successful authentication. We need these tokens to manage our
>     application
>     > session internally. So, how can we get access and refresh token
>     or response
>     > similar to username password authentication?
>
>     Are you using OAuth2 Resource-Owner-Password-Credentials (Direct
>     grant)
>     flow? Can you send an example of HTTP request and response you're
>     using
>     just to confirm we're on same page?
>
>     We don't have support for SPNEGO authentication in the
>     Resource-Owner-Password-Credentials flow (assuming you're using that
>     flow). There is opened JIRA for this. What you can possibly do, is to
>     write your own authenticator implementation, which will handle
>     SPNEGO,
>     and then create authentication flow with your custom authenticator
>     added. The authenticator can probably re-use lots of the code,
>     which the
>     SpnegoAuthenticator used for the "browser" flow is using. The flow
>     will
>     likely need to contain also other authenticators (EG. existing
>     authenticators for username/password assuming that you want to
>     support
>     both username/password and SPNEGO). See Keycloak server development
>     guide and our quickstarts for the authentication for more details.
>
>     Marek
>
>     >
>     >   SPNEGOAuthenticator spnegoAuthenticator = new
>     > SPNEGOAuthenticator(kerberosConfig, kerberosAuth, spnegoToken);
>     > spnegoAuthenticator.authenticate();
>     >   if (spnegoAuthenticator.isAuthenticated()) {
>     > String username = spnegoAuthenticator.getAuthenticatedUsername(); //
>     > returning the username correctly.
>     > }
>     >
>     > Thanks in advance!
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>