Skip to main content

Getting access to API 2.0

Below example is for staging Keycloak and guineapig client.
Please change urls and client accordingly to your needs.

Users created directly in account realm

Take note to replace client or realm specific parts of the url of the examples down below with your account's specific urls.

To retrieve an authorization token for Rest calls, send a POST request to https://auth.we.staging-adhese.org/realms/guineapig/protocol/openid-connect/token with the parameters:

  • username
  • password
  • client_id=adhese-app
  • grant_type=password

Using curl:

curl --location 'https://auth.we.staging-adhese.org/realms/guineapig/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=adhese-app' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=username' \
--data-urlencode 'password=password'

You will get back an access token:

{
    "access_token": "<access_token>",
    "expires_in": 60,
    "refresh_expires_in": 1800,
    "refresh_token": "<refresh_token>",
    "token_type": "Bearer",
    "not-before-policy": 0,
    "session_state": "0821e5b7-4420-4f8c-9a9f-4b98afc3fb6c",
    "scope": "profile email"
}

To execute Rest requests that require authorization, add an Authorization header with value Bearer <access_token>, where <access_token> is the access_token returned by the above request and add an Use-Keycloak-Auth header with value true

curl --location 'https://guineapig.staging-adhese.org/api/users/me' \
--header 'Use-Keycloak-Auth: true' \
--header 'Authorization: Bearer <access_token>'

And finally, to gain the proper permissions for users of Campaign Manager:

RPT_TOKEN=$(curl -s -X POST "https://auth.we.adhese.org/realms/jde/protocol/openid-connect/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -d "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
  -d "audience=adhese" | jq -r .access_token)

If you're getting Permission 'campaign:view' is required to access this resource exceptions,it itprobably means you still need to perform the last step.

The exception above can also be encountered if the requiredyour user role is missing. This has to be done via Keycloak.

Users from IDP

NOTE: Right now only guineapig is set up to support this flow. Other clients will be set up soon.

  1. Read IDP client secret https://auth.we.staging-adhese.org/admin/master/console/#/master/clients/56c93ae2-be1b-4177-98ac-24e0aab7c1ae/credentials
  2. Fetch token using IDP client 
    curl --location 'https://auth.we.staging-adhese.org/realms/master/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=adhese-guineapig-realm-idp' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=name.surname@adhese.eu' \
--data-urlencode 'password=password' \
--data-urlencode 'client_secret=client_secret' \
--data-urlencode 'scope=openid'
  3. Exchange IDP token to realm specific token 
    curl --location 'https://auth.we.staging-adhese.org/realms/guineapig/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'client_id=adhese-app' \
--data-urlencode 'subject_token=idp_token' \
--data-urlencode 'subject_issuer=adhese-employee-oidc' \
--data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:access_token'
  4. Use exchanged token to access client application endpoints
Back to top