I have Keycloak for authentication and authorization of multiple applications (a web page and a REST API). From my understanding the flow for the web page when using OAuth2 authentication_code grant type is as follows:
In this flow, in the second step (the one in red) the resource owner logs in because she/he were redirected to the login page of Keycloak. This flow is clear to me and is working well.
But, with the REST API I don't know what is the process to authenticate and authorize the user (resource owner), because there isn't a browser to redirect him to the login page of Keycloak. So, I tried with the password grant type and it worked, but then I realized that this grant type is deprecated. So I tried again with the authorization_code grant type but can't make it work. I am trying to get the token using the following request:
URL: http://localhost:8080/auth/realms/somerealm/protocol/openid-connect/token
Body:
username: someuser
passwoord: somepassword
grant_type: authorization_code
client_id: someclient
secret: somesecret
The problem is that I am receving the following response:
{
"error": "invalid_request",
"error_description": "Missing parameter: code"
}
I know I have something wrong in the request (and in my understanding of OAuth2), but I have read a lot and can't discover what it is.
question from:
https://stackoverflow.com/questions/65867508/oauth2-flow-for-securing-a-rest-api 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
