Skip to main content

Getting access to API 2.0

The example is for staging Keycloak and guineapig client.
Please amend the URLs and client according to your requirements.

Users created directly in the account realm

Replace the client- or realm-specific parts of the URLs in the examples below with your account's specific URLs.

To retrieve an authorisation token for REST calls, send a POST request to https://auth.we.staging-adhese.org/realms/guineapig/protocol/openid-connect/token with the following parameters:

  • username
  • password
  • client_id=adhese-app
  • grant_type=password

Using curl:

curl --location 'https://auth.we.staging-adhese.org/realms/guineapig/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=adhese-app' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=username' \
--data-urlencode 'password=password'

You will get back an access token:

{
    "access_token": "<access_token>",
    "expires_in": 60,
    "refresh_expires_in": 1800,
    "refresh_token": "<refresh_token>",
    "token_type": "Bearer",
    "not-before-policy": 0,
    "session_state": "0821e5b7-4420-4f8c-9a9f-4b98afc3fb6c",
    "scope": "profile email"
}

To execute REST requests that require authorisation, add an Authorization header with value Bearer <access_token>, where <access_token> is the access_token returned by the above request and add an Use-Keycloak-Auth header with value true

curl --location 'https://guineapig.staging-adhese.org/api/users/me' \
--header 'Use-Keycloak-Auth: true' \
--header 'Authorization: Bearer <access_token>'

And finally, to gain the proper permissions for users of Campaign Manager:

RPT_TOKEN=$(curl -s -X POST "https://auth.we.adhese.org/realms/jde/protocol/openid-connect/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -d "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
  -d "audience=adhese" | jq -r .access_token)

If you receive the message Permission 'campaign:view' is required to access this resource it probably means that your user role is missing. This must be configured via Keycloak.

Users from IDP

Please note that at present, only guineapig is configured to support this process. Support for other clients will be added soon.

  1. Read IDP client secret https://auth.we.staging-adhese.org/admin/master/console/#/master/clients/56c93ae2-be1b-4177-98ac-24e0aab7c1ae/credentials
  2. Fetch token using IDP client 
    curl --location 'https://auth.we.staging-adhese.org/realms/master/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=adhese-guineapig-realm-idp' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=name.surname@adhese.eu' \
--data-urlencode 'password=password' \
--data-urlencode 'client_secret=client_secret' \
--data-urlencode 'scope=openid'
  3. Exchange IDP token to realm specific token 
    curl --location 'https://auth.we.staging-adhese.org/realms/guineapig/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'client_id=adhese-app' \
--data-urlencode 'subject_token=idp_token' \
--data-urlencode 'subject_issuer=adhese-employee-oidc' \
--data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:access_token'
  4. Use the exchanged token to access client application endpoints
No Comments
Back to top