I have an Java web application which had an internal identity and access management. It was now suspended with the integration of Keycloak.
Next to its web interface, my application has also a REST endpoint like /api/authentication/login (among others but this is the starting point) which could be called previously to get a token via: curl -X POST http://localhost:8080/api/authentication/login -H 'Authorization: admin:admin'.
With the integration of Keycloak here, I cannot any longer login via that REST endpoint. I always get redirected to the login page of Keycloak which might makes sense in the way that it protects my app. But here I want to bypass the Keycloak login page and directly check the credentials and return a token if they match.
What are my options to achieve this?
Btw: the app does not use Spring Boot.
I've tried to add a new Keycloak OpenID Client which would cover the /api Home URL and I also set the option "Client Authentication" to false but with no effect, i.e. I still get redirected to the Keycloak login page.
CodePudding user response:
I would go further than Dhaval and say that it is recommanded not go that way.
Users should not authenticate against your API but against authorization-server (Keycloak) directly. Neither clients (UI) nor resource-servers (REST APIs) should access users secrets.
Just configure your client (UI) to redirect users to Keycloak to get access-token and send this token as Bearer Authorization header when issuing requests to resource-servers (REST APIs). Use an OAuth2 client library for that (eventually labeled with OpenID / OIDC).
See those tutorials for minimal Keycloak setup and Spring resource-servers security configuration: https://github.com/ch4mpy/spring-addons/blob/master/samples/tutorials
CodePudding user response:
Its not recommended to do without redirect. But you can still achieve with Direct Grant Flow.