2

I want to avoid the keycloak login page. I refer this "Avoid keycloak default login page and use project login page" link and able to get the access token using post method to "http://localhost:5555/auth/realms/master/protocol/openid-connect/token" link.

After getting access token in this step, it is mentioned to pass the below headers

headers :{

Authorization : 'Bearer ' + access_token_you_got

}

But it is not clear about where to pass the access token and what will be the response and what type of request.

This question might look very basic. As i am new to this, it is taking long time to understand. Any help is appreciated here.

Maria
  • 167
  • 1
  • 4
  • 16

2 Answers2

3

A good start would be to understand the basics of OAuth2 protocol, its main actors and authorization grant types.

Actors:
- Authorization server
- Resource server
- Client
- Resource owner

Grant types:
- Authorization code grant
- Implicit grant
- Client credentials grant
- Resource owner credentials grant

Once you understand which grant type is suitable to your case, it becomes clear what request and response headers should you send and receive to/from actors of the authorization flow.

There are a lot of articles on this topic and I find this one particularly useful:
https://alexbilbie.com/guide-to-oauth-2-grants/

Keycloak's login page is particularly helpful while implementing Authorization code and Implicit grant types of OAuth protocol.

VSh
  • 438
  • 4
  • 13
  • Thank you for your comments. In my case i am using "Resource owner credentials grant" and getting the "access token, refresh token and expires in" as a response. Is there any other steps needs to do after this?. Because it is still going to Keycloak login page. – Maria Mar 01 '19 at 03:09
  • If I understood you correctly, then your Keycloak adapter for the resource server is misconfigured. If you are trying to protect the resource, which is for example, a REST service, then you can set-up **bearer-only** configuration parameter. It will only validate the token which you receive from the Keycloak. https://www.keycloak.org/docs/latest/securing_apps/index.html - this link has config parameters descriptions and links to examples. – VSh Mar 01 '19 at 03:40
  • As i am new to SSO and Keycloak, want to ask one more questions here. I can say that, i login to my application(say application1). On clicking of a link in application1, i want to reach the cloud elements (say application2). Here Keycloak to application2, i am using SAML. And application1 to Keycloak , i am using OpenID. Is this Correct? – Maria Mar 01 '19 at 13:18
  • This is a very broad question to answer without understanding the details and application requirements. But SAML and OIDC are different protocols and, if you design your SSO solution from the beginning, then probably there is no need to mix these protocols together in it. – VSh Mar 01 '19 at 13:30
2

After Getting the Access token you will have to pass the access token to access data for keycloak protected resource.

headers :{

Authorization : 'Bearer ' + access_token_you_got

}

I was also wondering the same thing and what I did was for each redirect in my application I have created a middleware which will authenticate the token.If the token is not valid or the token doesn't exist user will be redirected to login page to authenticate.

avinashjha
  • 590
  • 4
  • 18
  • Here the keycloak protected resource is Cloud Elements page. But the cloud elements page doesn't have any API to accept our request. So how can i pass this request. – Maria Mar 04 '19 at 05:53
  • In your middleware send a http request to keycloak URL with proper Bearer Token.If the token is not valid you will get 401 otherwise 200.And for your application, call this middleware for each redirect.If the token is valid middleware will forward the request otherwise redirect them to the login page if token is not valid or doesn't exist – avinashjha Mar 04 '19 at 18:42
  • Thank you. If found my mistake. I passed the token to Cloud Elements page instead of keycloak. – Maria Mar 05 '19 at 04:30
  • Can anyone tell me , what is the Keycloak authorization url? – Maria Apr 02 '19 at 07:19
  • 1
    Use this URL http://${KEY_CLOAK_IP}/auth/realms/{realm}/protocol/openid-connect/token/userinfo Generate the access token for the user and in the middleware send a request to this URL .This URL will respond 200 till access_token is valid else 401 – avinashjha Apr 02 '19 at 07:42
  • Thank you Avinash. Finally if i get the 200 response, then the authorization is done right? and we can launch the application without going to the keycloak login page...Is it so? – Maria Apr 02 '19 at 08:54
  • Yes if u are getting 200 that means the token is valid and u can login into the application – avinashjha Apr 02 '19 at 09:42
  • You will ge the access token from this URL.Why are u calling this url and passing the access token? – avinashjha Apr 11 '19 at 11:28
  • I am getting access token from this url "http://${KEY_CLOAK_IP}/auth/realms/{realm}/protocol/openid-connect/token" and passing that token to "{Keycloak_IP}/auth/realms/master/" which gives the 200 response. But still i am unable to login directly. Still it goes to keycloak login page and asking username and password – Maria Apr 11 '19 at 11:34
  • So what i understand is you wanted to use cutom login page instead of Keycloak Login..So we are calling the Keycloak Rest API in backend on your custom login page and if the request is successful by which i mean when u get 200 Code from ```http://${KEY_CLOAK_IP}/auth/realms/{realm}/protocol/openid-connect/token``` from this u will be getting the access token..Store this access token and redirect to your application..In this scenario where do we have the keycloak login page in between ? – avinashjha Apr 11 '19 at 12:43
  • Yes your understanding is correct. But i am passing the access token to "http://{{Keycloak IP}}/auth/realms/master/" not to my application. Please guide me where to pass the access token. My expectation here is when i pass the access token to keycloak url, the user should able to login directly without entering the username and password fields (ie. Single-Sign-On) – Maria Apr 23 '19 at 06:40
  • For your better understanding, my Scenario is : I have an application on my local (App1) and i am going to access one application on cloud (App2) from App1. All the users who logged into App1 can access the App2 using Single-sign-on. So i created an IDP for App2 and i integrate it with Keycloak to achieve SSO. But i am struggling to integrate the keycloak with App1. All the App1 users are still going to keycloak login page, and if i enter the username and password then they are redirected to App2. Hope it is clear now. – Maria Apr 23 '19 at 06:55