1

I have a SPA with a backend API protected by Keycloak. I want to allow the SPA users to execute actions against the API programmatically instead of only via the SPA. Typically an application would allow a user to "create an API key" and perform actions against the API.

What is the recommended way of doing this with Keycloak?

My current plan is to enable Direct Access Grants (Resource Owner Password Credentials Grant) on the public client and instruct the SPA user to retrieve an Access Token doing:

curl -u public-client: -X POST \
  https://keycloak.url/auth/realms/REALM/protocol/openid-connect/token \
  -d 'grant_type=password&username=USER&password=PASSWORD'

The user can then access the API using her Access Token. It works but it doesn't feel quite right.

Is there a better (easy!) way? Thanks in advance!

GGGforce
  • 634
  • 1
  • 8
  • 19

1 Answers1

0

Your SPA is just another client of the API, all clients undergo the same login process. The only difference would be where will the auth tokens be stored, with the SPA the browser will stored them with API it is up to you

See this post for more details on api login: Login to Keycloak using API

Borislav Stoilov
  • 3,247
  • 2
  • 21
  • 46