Getting access to API 2.0

~~Below~~The example is for staging Keycloak and guineapig client.
Please ~~change~~amend ~~urls~~the URLs and client ~~accordingly~~according to your ~~needs.~~requirements.

Users created directly in the account realm

~~Take~~Replace ~~note~~the ~~to replace client~~client- or ~~realm~~ realm-specific parts of the ~~url~~URLs ofin the examples ~~down~~ below with your account's specific ~~urls.~~URLs.

To retrieve an ~~authorization~~authorisation token for ~~Rest~~REST calls, send a POST request to https://auth.we.staging-adhese.org/realms/guineapig/protocol/openid-connect/token with the following parameters:

username
password
client_id=adhese-app
grant_type=password

Using curl:

curl --location 'https://auth.we.staging-adhese.org/realms/guineapig/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=adhese-app' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=username' \
--data-urlencode 'password=password'

You will get back an access token:

{
    "access_token": "<access_token>",
    "expires_in": 60,
    "refresh_expires_in": 1800,
    "refresh_token": "<refresh_token>",
    "token_type": "Bearer",
    "not-before-policy": 0,
    "session_state": "0821e5b7-4420-4f8c-9a9f-4b98afc3fb6c",
    "scope": "profile email"
}

To execute ~~Rest~~REST requests that require ~~authorization,~~authorisation, add an Authorization header with value Bearer <access_token>, where <access_token> is the access_token returned by the above request and add an Use-Keycloak-Auth header with value true

curl --location 'https://guineapig.staging-adhese.org/api/users/me' \
--header 'Use-Keycloak-Auth: true' \
--header 'Authorization: Bearer <access_token>'

And finally, to gain the proper permissions for users of Campaign Manager:

RPT_TOKEN=$(curl -s -X POST "https://auth.we.adhese.org/realms/jde/protocol/openid-connect/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -d "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
  -d "audience=adhese" | jq -r .access_token)

If ~~you're~~you ~~getting~~receive the message Permission 'campaign:view' is required to access this resource it probably means that your user role is missing. This ~~has to~~must be ~~done~~configured via Keycloak.

Users from IDP

~~NOTE:~~Please ~~Right~~note ~~now~~that at present, only guineapig is ~~set up~~configured to support this ~~flow.~~process. ~~Other~~Support for other clients will be ~~set up~~added soon.

Read IDP client secret https://auth.we.staging-adhese.org/admin/master/console/#/master/clients/56c93ae2-be1b-4177-98ac-24e0aab7c1ae/credentials

Fetch token using IDP client

curl --location 'https://auth.we.staging-adhese.org/realms/master/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=adhese-guineapig-realm-idp' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=name.surname@adhese.eu' \
--data-urlencode 'password=password' \
--data-urlencode 'client_secret=client_secret' \
--data-urlencode 'scope=openid'

Exchange IDP token to realm specific token

curl --location 'https://auth.we.staging-adhese.org/realms/guineapig/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'client_id=adhese-app' \
--data-urlencode 'subject_token=idp_token' \
--data-urlencode 'subject_issuer=adhese-employee-oidc' \
--data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:access_token'

Use the exchanged token to access client application endpoints