Programmatically authenticate user with Keycloak in java
12,911
--EDIT 2018-08-31--
You can use the Authorization Client Java API. Once you have created an AuthzClient object, you can pass the username and password to the AuthzClient#authorization(username, password) or AuthzClient#obtainAccessToken(username, password) method to authenticate the user and get the access token (and/or ID token in the first case):
// create a new instance based on the configuration defined in keycloak-authz.json
AuthzClient authzClient = AuthzClient.create();
// send the authorization request to the server in order to
// obtain an access token granted to the user
AccessTokenResponse response = authzClient.obtainAccessToken("alice", "alice");
On a side note, if possible, you'd rather reuse one of the Keycloak Java Adapters to cover more features, such as other authentication methods (the user is typically redirected to Keycloack WUI where you can enforce very flexible authentication and authorization policies).
Author by
user840930
Updated on June 30, 2022Comments
-
user840930 almost 2 years
I have been looking through the Keycloak documentation but cannot see how to do this. With Java, I'd like to take a valid userid and password and then generate a token. How can I do this?
-
user840930 over 5 yearsThanks for the reply. Okay. What I am looking for, is to use the Java API for keycloak to authenticate a user.
-
cdan over 5 yearsI changed my answer. It should be more relevant to what you need. Let me know. -
user840930 over 5 yearsThanks for changing your answer. It looks like what I'm looking for. I tried to implement it and I get a runtime exception: could not find any keycloak.json file in classpath. Any ideas what I might be missing?
-
user840930 over 5 yearsokay, I think I understand what this keycloak.json file is and where it comes from, but now where does it go?
-
cdan over 5 yearsAccording to documentation (check the first link in my answer), the keycloak.json must be on your application's classpath.
-
user840930 over 5 yearsokay, solved that problem. but now have another error: org.codehaus.jackson.map.exc.UnrecognizedPropertyException: Unrecognized field "auth-server-url" This field comes from my keycloak.json file generated by my keycloak server.
-
user840930 over 5 years"auth-server-url" appears in the documentation for keycloak.json file
-
cdan over 5 yearsWhich version of Keycloak Server do you have? And which version of
keycloak-authz-clientlibrary? -
user840930 over 5 yearsYes, of course! my versions were mismatched! 4.3 on keycloak server but I was using an earlier keycloak-authz client! Thank you!!
-
user840930 over 5 yearsnow it runs without errors. But there is no response from authzClient.obtainAccessToken(id, password);
-
cdan over 5 yearsSet the log level to DEBUG for the org.keycloak package to get more info about what's going on. Then do you see any HTTP request/reply to/from the Keycloak server?
-
user840930 over 5 yearsYes, that worked. error message: Client not allowed for direct access grants
-
user840930 over 5 yearsgranted direct access and next problem: Invalid user credentials
-
user840930 over 5 yearsanother question though, now that I have a valid token, how can I use it to access for instance a service secured by keycloak? I secured a REST service with keycloak, tried to use the token to access the service, but I get a 404
-
cdan over 5 yearsA couple of ways to validate Keycloak-issued JWT access tokens: 1) Do it in a reverse proxy, e.g. Apache + mod_auth_openidc and forward claims as headers; 2) In a Java app, you can use Keycloak API: gist.github.com/thomasdarimont/52152ed68486c65b50a04fcf7bd9bbde ; 3) do it manually with any JWT library.
-
user840930 over 5 yearsAuthzClient authzClient = AuthzClient.create(); is now throwing an exception. Could not obtain configuration from server [keycloak.test.online/auth/realms/master/.well-known/… com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "introspection_endpoint"
-
user840930 over 5 yearsversion mismatch again
-
Andrew_SF over 3 years@user840930 Hi, I'm in the same situation now. I can obtain an AuthorizationResponse but I get an error when I call a secured service. Did you find out?
-
cdan over 3 yearsMake sure your version of the keycloak-authz-client library matches your version of the Keycloak server (or at least same major and minor version).
