Authorization Code Grant Flow in Keycloak

Question

I am new to this and after reading a lot I feel that I don't quite understand how to implement the authorization code flow in Keycloak. My doubts:

1. After you have created a client that supports this flow, how do you perform the credential validation? By default, if I don't configure anything, I get a login form. If I open this html in a browser and fill in the user and password fields, when I press the button it sends me to an url of the type ".../realms/{REAL_NAME}/login-actions/authenticate?session_code=...." but I don't understand if this should work (it seems that it doesn't) or if something else is needed like adding an Identity Provider.

2. In case it is necessary to add a provider, how do you add one that is not external like Google, Facebook, etc? I have seen the Keycloak OpenID Provider option but I don't understand well what should I put in the Authorization endpoint, token endpoint, client, etc fields. Should I use an existing client or generate a new one?

I'm sorry if the questions seem obvious but I can't square the circle and implement the entire flow without using an external IDP. Thanks in advance!

Answer 1

thank you very much for your answer.

I may not have been very precise in my explanation, I'll give more details. I have a client configured as openid-connect and standard flow enabled. When I make the first request, for example:

curl -v -d "scope=openid&client_id=backend&response_type=code&redirect_uri=https://www.example.com/callback" -H "Content-Type: application/x-www-form-urlencoded" -X POST localhost:8180/auth/realms/myrealm/protocol/openid-connect/auth

I receive an HTML with a login form. My problems start here (probably because I'm not using a browser in a flow designed for that). If I store this html in a file, I open it in a browser and try to enter the username and password, I received an error. If I open HTML code I can see an action with:

http://localhost:8180/auth/realms/myrealm/login-actions/authenticate?session_code=r8p94ca0Umrc-S9BMPC_U168Vmc9y_KESCEI_dHk52I&execution=b47d36ec-2b7d-4ec3-aaf7-cf68ca5d2380&client_id=backend&tab_id=9UEVmEJPLio

So I understand that I can continue with the process by sending a POST request but I can not (I get a 400 with an error HTML). My doubt is if this default authentication should be able to be done without configuring any Identity Provider? I understand that yes but how?

If I try another flow as Credentials I get an access_token without problems but with Authorization Code flow I can not get past the login form.

EDIT: When I write a question I can see all the lines in the editor but when it is published the first line disappears (where I say hello), that's why I look so rude, my apologies!

Answer 2

1. Your client(app) needs to support oauth (or saml). You create a client in keycloak. You configure your app with the keycloak settings(url, id, key?). Your client send users to keycloak. User login to keycloak and will be send back to your app. It is possible to implement an own login form and send the data via api to keycloak. I would go with the first approach. (https://www.keycloak.org/docs/latest/server_admin/#_clients)
2. You want to try out keycloak without external provider but want to use an external provider? I created 2 realms. In realm1 I added a client (saml or oauth, whatever you like). In realm2 I added an Identity Provider - the stuff i setup in realm1 client. Now i can login to realm2 using users in realm1. If you want to use an external Identity Provider like FB oder a company owned one, you do the second step only and add Identity Providers. (https://www.keycloak.org/docs/latest/server_admin/#_identity_broker)