Getting access to API 2.0

Below example is for staging Keycloak and guineapig client.
Please change urls and client accordingly to your needs.

Direct access

To retrieve an authorization token for Rest calls, send a POST request to  https://keycloak.staging-adhese.org/realms/adhese-guineapig/protocol/openid-connect/token with the parameters:

• username
• password
• client_id=adhese-app
• grant_type=password

Using curl:

curl --location 'https://keycloak.staging-adhese.org/realms/adhese-guineapig/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=adhese-app' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=username' \
--data-urlencode 'password=password'

You will get back an access token:  

{
    "access_token": "<access_token>",
    "expires_in": 60,
    "refresh_expires_in": 1800,
    "refresh_token": "<refresh_token>",
    "token_type": "Bearer",
    "not-before-policy": 0,
    "session_state": "0821e5b7-4420-4f8c-9a9f-4b98afc3fb6c",
    "scope": "profile email"
}

To execute Rest requests that require authorization, add an Authorization header with value Bearer <access_token>, where <access_token> is the access_token returned by the above request and add an Use-Keycloak-Auth header with value true

curl --location 'https://guineapig.staging-adhese.org/api/users/me' \
--header 'Use-Keycloak-Auth: true' \
--header 'Authorization: Bearer <access_token>'

Access via IDP

NOTE: Right now only guineapig is set up to support this flow. Other clients will be set up soon.

1. Read IDP client secret https://keycloak.staging-adhese.org/admin/master/console/#/master/clients/56c93ae2-be1b-4177-98ac-24e0aab7c1ae/credentials
2. Fetch token using IDP client
   

   curl --location 'https://keycloak.staging-adhese.org/realms/master/protocol/openid-connect/token' \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --data-urlencode 'client_id=adhese-guineapig-realm-idp' \
   --data-urlencode 'grant_type=password' \
   --data-urlencode 'username=name.surname@adhese.eu' \
   --data-urlencode 'password=password' \
   --data-urlencode 'client_secret=client_secret' \
   --data-urlencode 'scope=openid'

   
   
3. Exchange IDP token to realm specific token
   

   curl --location 'https://keycloak.staging-adhese.org/realms/adhese-guineapig/protocol/openid-connect/token' \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
   --data-urlencode 'client_id=adhese-app' \
   --data-urlencode 'subject_token=idp_token' \
   --data-urlencode 'subject_issuer=adhese-employee-oidc' \
   --data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:access_token'

   
   
4. Use exchanged token to access client application endpoints