Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Translation needed

The content of this page was copied from another page tree and needs to be translated or updated.

When you finish translation, make sure to

  • Replace the label NEEDS-TRANSLATING with TRANSLATED

  • Remove this macro from the page


Introduction

This type of authentication can be used for:

  • tests
  • application authentication without user interaction (e.g. server application)
  • can be used only for local accounts (external providers like ADFS, LDAP,  are not supported)

Realm configuration

Add client that will be allowed this type of access:

https://www.keycloak.org/docs/latest/server_admin/#_clients


Example client configuration:

Important properties:

Client ID - this will be sent in authentication request, together with client_secret(for confidential clients only)

Enabled - if client is not enabled, authentication requests won't be allowed

Direct Access Grants Enabled - this enables authentication flow to get access token by sending user credentials directly in authentication request

Access Type - use public or confidential; confidential is recommended as it requires additional client_secret for authentication; if client_secret cannot be stored by application in secure way, use public instead

To get client_secret, one can get it from keycloak admin console from credentials tab in client config:

Requesting login and Token

Endpoint to be used for login (authentication request):

POST https://keycloak.test.bim.cloud/auth/realms/{realm}/protocol/openid-connect/token

Full sample:

POST https://keycloak.test.bim.cloud/auth/realms/tessel-demo4/protocol/openid-connect/token

Required parameter:

  • realm name - realm name is unique for every customer. 
    In test environment it can be hardcoded or can be obtained from HDC application (sv) Setting up client application


Request must be sent with the following payload:

type Content-Type: application/x-www-form-urlencoded

  • username - use realm user
  • password- user password as set
  • client_id - client id configured in keycloak realm
  • client_secret - client secret associated to client in keycloak realm
  • grant_type - password
username=[username]&password=[userpassword]&grant_type=password&client_secret=[client_secret]&client_id=HDC+Client+for+auto+tests

Authentication response

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYVUM5NlRFS092UjFBbXFfR0R2QzhjZ2tuRV9BaHZlaG1DS3c2cUJqa0xZIn0.eyJleHAiOjE2MzA5Mzk2MTMsImlhdCI6MTYzMDkzNjAxMywianRpIjoiMmE2OWZiOTUtMDliNi00MDA2LTg5NGQtOTc0Y2M3OTM1NGFlIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay50ZXN0LmJpbS5jbG91ZC9hdXRoL3JlYWxtcy90ZXNzZWwtZGVtbzQiLCJhdWQiOlsiSERDIEZNIFNlcnZlciBBcHBsaWNhdGlvbiIsImFjY291bnQiXSwic3ViIjoiOTJiNzA0MWMtNDExZC00YTQwLWI0YjItZmFjYzk1NzVhYzc2IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiSERDIENsaWVudCBmb3IgYXV0byB0ZXN0cyIsInNlc3Npb25fc3RhdGUiOiIzZDcwZTJjOC1hNDVlLTRhMjAtOTQ0OS0xNWY0ZmI5YzdjMDIiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIkNoYW5nZSBSZXBvcnRlciIsIlVzZXIiLCJNYWluVXNlcnNHcm91cCIsIlVzZXJzIiwiZGVmYXVsdC1yb2xlcy10ZXNzZWwtZGVtbzQiLCJTeXN0ZW0gQWRtaW5pc3RyYXRvciIsIlRTTCBDcmV3IiwiQmFzaWMgQXJjaGl2ZSBNYW5hZ2VyIiwiQWRtaW5pc3RyYXRvciIsIkNoYW5nZSBNYW5hZ2VyIiwib2ZmbGluZV9hY2Nlc3MiLCJEYXRhIEV4Y2hhbmdlIE1hbmFnZXIiLCJTeXN0ZW0gVXNlcnMiLCJBZG1pbnMiLCJ1bWFfYXV0aG9yaXphdGlvbiIsIlNlY3VyaXR5IEFkbWluaXN0cmF0b3IiLCJBZHZhbmNlZCBBcmNoaXZlIE1hbmFnZXIiXX0sInJlc291cmNlX2FjY2VzcyI6eyJIREMgRk0gU2VydmVyIEFwcGxpY2F0aW9uIjp7InJvbGVzIjpbInZpZXctZGF0YS1leGNoYW5nZS1hdWRpdCIsInJlcG9ydC1jaGFuZ2UtcmVxdWVzdHMiLCJtYW5hZ2Utb3duLWRyYWZ0cyIsIm1hbmFnZS1jaGFuZ2UtcmVxdWVzdHMiLCJhY2Nlc3MtYXVkaXQtdHJhaWwiLCJ2aWV3LXVzZXItYWN0aXZpdHktYXVkaXQiLCJ2aWV3LXNoYXJlZC1kcmFmdHMiLCJhbm9ueW1vdXMtYXBpIiwiZWRpdC1tYXN0ZXItYXJjaGl2ZS12ZXJzaW9uIiwidmlldy1tYXN0ZXItYXJjaGl2ZS12ZXJzaW9ucyIsIm1hbmFnZS1hbGwtZHJhZnRzIiwiZGF0YS1leGNoYW5nZS1leHBvcnQiLCJtYW5hZ2Utc2VjdXJpdHktc2V0dGluZ3MiLCJ2aWV3LWFsbC1kcmFmdHMiLCJhY2Nlc3MtYWRtaW4tb3BlcmF0aW9ucyIsInZpZXctdmVyc2lvbmluZy1hdWRpdCIsInN5c3RlbS11c2VyIiwicmV2ZXJ0LXB1Ymxpc2hlZC12ZXJzaW9uIiwidmlldy1vYmplY3QtYXVkaXQiLCJtYW5hZ2Utc3lzdGVtLXNldHRpbmdzIiwiZGF0YS1leGNoYW5nZS1pbXBvcnQiLCJzZXQtZGVmYXVsdC12ZXJzaW9uIiwicHVibGlzaC1kcmFmdHMiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsInNpZCI6IjNkNzBlMmM4LWE0NWUtNGEyMC05NDQ5LTE1ZjRmYjljN2MwMiIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IkpNZXRlciIsInByZWZlcnJlZF91c2VybmFtZSI6ImptZXRlciIsImxvY2FsZSI6InN2IiwiZ2l2ZW5fbmFtZSI6IkpNZXRlciIsImZhbWlseV9uYW1lIjoiIiwiZW1haWwiOiJ0b21hc3oud3ljem9sa293c2tpQHRlc3NlbC5wbCJ9.jdQ7TEv2Bf3eFIvvZDAaSsyE5L17RIw9vIwNMOKNsNFfPM1fUu1QFxy2qcKmBAFCbsXP4Y5N_iDb-LXIlTK3Js4A9Fwyl_UztTkQYQv8KxHVUyFr0CwzHr1HRE8g-1-zFMkcPoxg7NT9lcddltZdVfPx8wVVol-jhf9ovr55mqY36KmRzKPZjXkpaf2cR6tabU0gM4ixCph3Wc2CLWGZwIy9TkTCs6IGg_SfMBAZzDEa52z62UdQs5NwTx2MyiHsD9o2Q5HdnfUlCCeJYTxwO8XQnaVe25xcF5bdoOLFGn2bzWzzimIWYhu0ynV0t7VJT_Nf5Uoes7kURGc6_nfEAA",
    "expires_in": 3600,
    "refresh_expires_in": 28800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI5ZDA2OTc0Mi1lM2IzLTQ3OGEtYTc0NC0zM2E4ODRmNWFjZDAifQ.eyJleHAiOjE2MzA5NjQ4MTMsImlhdCI6MTYzMDkzNjAxMywianRpIjoiNTNjMGM3MGEtYTkwNy00YjIwLThiYzMtMTUxMWM3ZjA2MGEwIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay50ZXN0LmJpbS5jbG91ZC9hdXRoL3JlYWxtcy90ZXNzZWwtZGVtbzQiLCJhdWQiOiJodHRwczovL2tleWNsb2FrLnRlc3QuYmltLmNsb3VkL2F1dGgvcmVhbG1zL3Rlc3NlbC1kZW1vNCIsInN1YiI6IjkyYjcwNDFjLTQxMWQtNGE0MC1iNGIyLWZhY2M5NTc1YWM3NiIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJIREMgQ2xpZW50IGZvciBhdXRvIHRlc3RzIiwic2Vzc2lvbl9zdGF0ZSI6IjNkNzBlMmM4LWE0NWUtNGEyMC05NDQ5LTE1ZjRmYjljN2MwMiIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsInNpZCI6IjNkNzBlMmM4LWE0NWUtNGEyMC05NDQ5LTE1ZjRmYjljN2MwMiJ9.DIQ0vNKHOamOoLxsJo8DYTE3rj1FfK8xRX6RN37j6TM",
    "token_type": "Bearer",
    "not-before-policy": 0,
    "session_state": "3d70e2c8-a45e-4a20-9449-15f4fb9c7c02",
    "scope": "email profile"
}


From the received response JSON, copy access token from access_token and send it with Bearer prefix in 

X-Authorization header to every secured HDC request

example:

Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYVUM5NlRFS092UjFBbXFfR0R2QzhjZ2tuRV9BaHZlaG1DS3c2cUJqa0xZIn0.eyJleHAiOjE2MzA5Mzk2MTMsImlhdCI6MTYzMDkzNjAxMywianRpIjoiMmE2OWZiOTUtMDliNi00MDA2LTg5NGQtOTc0Y2M3OTM1NGFlIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay50ZXN0LmJpbS5jbG91ZC9hdXRoL3JlYWxtcy90ZXNzZWwtZGVtbzQiLCJhdWQiOlsiSERDIEZNIFNlcnZlciBBcHBsaWNhdGlvbiIsImFjY291bnQiXSwic3ViIjoiOTJiNzA0MWMtNDExZC00YTQwLWI0YjItZmFjYzk1NzVhYzc2IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiSERDIENsaWVudCBmb3IgYXV0byB0ZXN0cyIsInNlc3Npb25fc3RhdGUiOiIzZDcwZTJjOC1hNDVlLTRhMjAtOTQ0OS0xNWY0ZmI5YzdjMDIiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIkNoYW5nZSBSZXBvcnRlciIsIlVzZXIiLCJNYWluVXNlcnNHcm91cCIsIlVzZXJzIiwiZGVmYXVsdC1yb2xlcy10ZXNzZWwtZGVtbzQiLCJTeXN0ZW0gQWRtaW5pc3RyYXRvciIsIlRTTCBDcmV3IiwiQmFzaWMgQXJjaGl2ZSBNYW5hZ2VyIiwiQWRtaW5pc3RyYXRvciIsIkNoYW5nZSBNYW5hZ2VyIiwib2ZmbGluZV9hY2Nlc3MiLCJEYXRhIEV4Y2hhbmdlIE1hbmFnZXIiLCJTeXN0ZW0gVXNlcnMiLCJBZG1pbnMiLCJ1bWFfYXV0aG9yaXphdGlvbiIsIlNlY3VyaXR5IEFkbWluaXN0cmF0b3IiLCJBZHZhbmNlZCBBcmNoaXZlIE1hbmFnZXIiXX0sInJlc291cmNlX2FjY2VzcyI6eyJIREMgRk0gU2VydmVyIEFwcGxpY2F0aW9uIjp7InJvbGVzIjpbInZpZXctZGF0YS1leGNoYW5nZS1hdWRpdCIsInJlcG9ydC1jaGFuZ2UtcmVxdWVzdHMiLCJtYW5hZ2Utb3duLWRyYWZ0cyIsIm1hbmFnZS1jaGFuZ2UtcmVxdWVzdHMiLCJhY2Nlc3MtYXVkaXQtdHJhaWwiLCJ2aWV3LXVzZXItYWN0aXZpdHktYXVkaXQiLCJ2aWV3LXNoYXJlZC1kcmFmdHMiLCJhbm9ueW1vdXMtYXBpIiwiZWRpdC1tYXN0ZXItYXJjaGl2ZS12ZXJzaW9uIiwidmlldy1tYXN0ZXItYXJjaGl2ZS12ZXJzaW9ucyIsIm1hbmFnZS1hbGwtZHJhZnRzIiwiZGF0YS1leGNoYW5nZS1leHBvcnQiLCJtYW5hZ2Utc2VjdXJpdHktc2V0dGluZ3MiLCJ2aWV3LWFsbC1kcmFmdHMiLCJhY2Nlc3MtYWRtaW4tb3BlcmF0aW9ucyIsInZpZXctdmVyc2lvbmluZy1hdWRpdCIsInN5c3RlbS11c2VyIiwicmV2ZXJ0LXB1Ymxpc2hlZC12ZXJzaW9uIiwidmlldy1vYmplY3QtYXVkaXQiLCJtYW5hZ2Utc3lzdGVtLXNldHRpbmdzIiwiZGF0YS1leGNoYW5nZS1pbXBvcnQiLCJzZXQtZGVmYXVsdC12ZXJzaW9uIiwicHVibGlzaC1kcmFmdHMiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsInNpZCI6IjNkNzBlMmM4LWE0NWUtNGEyMC05NDQ5LTE1ZjRmYjljN2MwMiIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IkpNZXRlciIsInByZWZlcnJlZF91c2VybmFtZSI6ImptZXRlciIsImxvY2FsZSI6InN2IiwiZ2l2ZW5fbmFtZSI6IkpNZXRlciIsImZhbWlseV9uYW1lIjoiIiwiZW1haWwiOiJ0b21hc3oud3ljem9sa293c2tpQHRlc3NlbC5wbCJ9.jdQ7TEv2Bf3eFIvvZDAaSsyE5L17RIw9vIwNMOKNsNFfPM1fUu1QFxy2qcKmBAFCbsXP4Y5N_iDb-LXIlTK3Js4A9Fwyl_UztTkQYQv8KxHVUyFr0CwzHr1HRE8g-1-zFMkcPoxg7NT9lcddltZdVfPx8wVVol-jhf9ovr55mqY36KmRzKPZjXkpaf2cR6tabU0gM4ixCph3Wc2CLWGZwIy9TkTCs6IGg_SfMBAZzDEa52z62UdQs5NwTx2MyiHsD9o2Q5HdnfUlCCeJYTxwO8XQnaVe25xcF5bdoOLFGn2bzWzzimIWYhu0ynV0t7VJT_Nf5Uoes7kURGc6_nfEAA


in addition for requests working on HDC version u need to send versionId in

X-Hdc-Version-Id header


To get default version id invoke

GET ../api/systeminfo/json

and read id from defaultVersion.versionId in json

  • No labels