20

I have been looking through the Keycloak documentation but cannot see how to do this. With Java, I'd like to take a valid userid and password and then generate a token. How can I do this?

user840930
  • 5,214
  • 21
  • 65
  • 94

1 Answers1

17

--EDIT 2018-08-31--

You can use the Authorization Client Java API. Once you have created an AuthzClient object, you can pass the username and password to the AuthzClient#authorization(username, password) or AuthzClient#obtainAccessToken(username, password) method to authenticate the user and get the access token (and/or ID token in the first case):

// create a new instance based on the configuration defined in keycloak-authz.json
AuthzClient authzClient = AuthzClient.create();

// send the authorization request to the server in order to
// obtain an access token granted to the user
AccessTokenResponse response = authzClient.obtainAccessToken("alice", "alice");

On a side note, if possible, you'd rather reuse one of the Keycloak Java Adapters to cover more features, such as other authentication methods (the user is typically redirected to Keycloack WUI where you can enforce very flexible authentication and authorization policies).

cdan
  • 3,470
  • 13
  • 27
  • Thanks for the reply. Okay. What I am looking for, is to use the Java API for keycloak to authenticate a user. – user840930 Aug 31 '18 at 02:26
  • I changed my answer. It should be more relevant to what you need. Let me know. – cdan Aug 31 '18 at 12:28
  • 1
    Thanks for changing your answer. It looks like what I'm looking for. I tried to implement it and I get a runtime exception: could not find any keycloak.json file in classpath. Any ideas what I might be missing? – user840930 Sep 02 '18 at 17:13
  • okay, I think I understand what this keycloak.json file is and where it comes from, but now where does it go? – user840930 Sep 02 '18 at 17:36
  • According to documentation (check the first link in my answer), the keycloak.json must be on your application's classpath. – cdan Sep 02 '18 at 18:10
  • okay, solved that problem. but now have another error: org.codehaus.jackson.map.exc.UnrecognizedPropertyException: Unrecognized field "auth-server-url" This field comes from my keycloak.json file generated by my keycloak server. – user840930 Sep 02 '18 at 19:10
  • "auth-server-url" appears in the documentation for keycloak.json file – user840930 Sep 02 '18 at 19:16
  • Which version of Keycloak Server do you have? And which version of `keycloak-authz-client` library? – cdan Sep 02 '18 at 20:48
  • Yes, of course! my versions were mismatched! 4.3 on keycloak server but I was using an earlier keycloak-authz client! Thank you!! – user840930 Sep 02 '18 at 22:05
  • now it runs without errors. But there is no response from authzClient.obtainAccessToken(id, password); – user840930 Sep 02 '18 at 22:40
  • Set the log level to DEBUG for the org.keycloak package to get more info about what's going on. Then do you see any HTTP request/reply to/from the Keycloak server? – cdan Sep 03 '18 at 00:19
  • Yes, that worked. error message: Client not allowed for direct access grants – user840930 Sep 03 '18 at 12:06
  • granted direct access and next problem: Invalid user credentials – user840930 Sep 03 '18 at 12:19
  • another question though, now that I have a valid token, how can I use it to access for instance a service secured by keycloak? I secured a REST service with keycloak, tried to use the token to access the service, but I get a 404 – user840930 Sep 14 '18 at 13:07
  • A couple of ways to validate Keycloak-issued JWT access tokens: 1) Do it in a reverse proxy, e.g. Apache + mod_auth_openidc and forward claims as headers; 2) In a Java app, you can use Keycloak API: https://gist.github.com/thomasdarimont/52152ed68486c65b50a04fcf7bd9bbde ; 3) do it manually with any JWT library. – cdan Sep 14 '18 at 22:09
  • AuthzClient authzClient = AuthzClient.create(); is now throwing an exception. Could not obtain configuration from server [https://keycloak.test.online/auth/realms/master/.well-known/uma2-configuration com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "introspection_endpoint" – user840930 Oct 24 '18 at 08:51
  • version mismatch again – user840930 Oct 24 '18 at 14:09
  • @user840930 Hi, I'm in the same situation now. I can obtain an AuthorizationResponse but I get an error when I call a secured service. Did you find out? – Andrew_SF Nov 09 '20 at 15:01
  • Make sure your version of the keycloak-authz-client library matches your version of the Keycloak server (or at least same major and minor version). – cdan Nov 10 '20 at 20:16