Login to Keycloak using API

I have 2 different applications: say Application1 and Application2.

I have integrated Application2 with keycloak and I am able to login to this application using Keycloak's login page.

Now what I want is, if I login to my Application1 (without keycloak), I should be able to call some API of keycloak to login to application2 (without rendering keycloak's login page).

It is feasible? If yes, how?

Any help will be highly appreciated.

Thanks

3 Answers
3

You are effectively asking your users to trust that Application1 will manage their keycloak credentials securely. This is not recommended because

But if you control and can trust Application1 and need to do this due to legacy or other reasons then you can enable the Resource Owner Credentials Flow called "Direct Access" on the Keycloak Client Definition, and then POST the user's credentials as a form-urlencoded data type to

form-urlencoded

https://<keycloak-url>/auth/realms/<realm>/protocol/openid-connect/token


The paramaters will be

grant_type=password
client_id=<Application1's client id>
client_secret=<the client secret>
username=<the username>
password=<the password>
scope=<space delimited list of scope requests>


The response will be a valid JWT object or a 4xx error if the credentials are invalid.

curl http://localhost:8080/service/secured -H "Authorization: bearer $TOKEN"

YES- You can login to the Application-1 with out using keycloak login interface.

Various client adapters are available for achieving this. here you didn't mentioned your application frame work.

To know more about the keyclaok client adapters : click here

For example if you are choosing Node.js adapter then you can follow the link : node.js adapter

keycloak implementation with node.js adapter, details about the REST api's and token validation mechanism are well explained in this link click for example

If I got your question correctly you are trying to call a bearer-only service through another application that's already logged in, you also didn't mention if you are using Spring Boot or another framework like it, so I'll suppose that you are using the Spring Boot for your server-side application.

The following example reflects into a simple call of an authenticated API to another one, both using Spring Boot:

import org.keycloak.KeycloakPrincipal;
import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
import org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;

@Component
public class AnotherServiceClient {
public TypeOfObjectReturnedByAnotherService getFromAnotherService() {
RestTemplate restTemplate = new RestTemplate();
String endpoint = "http://localhost:40030/another/service/url";
String bearerToken = getAuthorizationToken();

HttpHeaders headers = new HttpHeaders();
headers.set("Authorization", "bearer " + bearerToken);

HttpEntity entity = new HttpEntity(headers);

ResponseEntity<TypeOfObjectReturnedByAnotherService> response = restTemplate.exchange(endpoint, HttpMethod.GET, entity, TypeOfObjectReturnedByAnotherService.class);

return response.getBody();
}

private String getAuthorizationToken() {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
SimpleKeycloakAccount details = (SimpleKeycloakAccount) authentication.getDetails();

KeycloakPrincipal<?> keycloakPrincipal = (KeycloakPrincipal<?>) details.getPrincipal();

RefreshableKeycloakSecurityContext context = (RefreshableKeycloakSecurityContext) getPrincipal().getKeycloakSecurityContext();

return context.getTokenString();
}
}


By that way is possible to send the actual valid token generated by your origin service to another service.

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.