Token based login for APIs

HelloI have a docker based traefik, keycloak, traefikforwardauth setup that is working for interactive logon.

https://github.com/stevegroom/traefikGateway/tree/master/traefik

I need to create an access token that I can append to requests to the traefik API service (or any other resource) I am Monitoring groups of services with a NodeRed dashboard.

I tried googling the solution but I'm not quite on the right path.

The OAuth 2.0 Authorization Framework: Bearer Token Usage 2.3. URI Query Parameter indicates that I should be able to add a query parameter

like this:

GET /resource?access_token=mF_9.B5f-4.1JqM HTTP/1.1
Host: server.example.com

I requested an access token but the returned variable is over 1300 bytes which seems rather excessive to add to a URL.

curl --location --request POST 'https://keycloak.mydomain/auth/realms/master/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: AUTH_SESSION_ID=0e93b8fc-a236-4270-991a-3d7b23ab9d34.e8d8c72d2aee; KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1iHaInR5cCIgOiAiSldUIiwia2lkIiA6ICIxMjIwY2M1OS1jYzVlLTRkMjYtODM2OC1hMmRlNjdjMDY3N2QifQ.eyJqdGkiOiJmYTg2Mjg2OS1hZmQwLTQ1MDQtOGI3Ny05MWI4MzIxYzY4MTYiLCJleHAiOjE1ODc3NTgwNTcsIm5iZiI6MCwiaWF0IjoxNTg3NzIyMDU3LCJpc3MiOiJodHRwczovL2tleWNsb2FrLmdyb29tcy5wYWdlvcmVhbG1zL21hc3RlciIsInN1YiI6IjZjZGY4NTMwLWVkMWMtNGU2My1iOWE1LTQ3MmUzYzc2NzBkMSIsInR5cCI6IlNlcmlhbGl6ZWQtSUQiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiIwZTkzYjhmYy1hMjM2LTQyNzAtOTkxYS0zZDdiNWZhYjlkMzQiLCJzdGF0ZV9jaGVja2VyIjoiM1FyeWVkdjJeG9MaVV4bC1SRThrdU9CNXBLeVY3ajdZMCJ9.yt3pwMpOPZL6RicLLZVpyCXNekVM_60sOSorfEd1fCA; KEYCLOAK_SESSION_LEGACY=master/6cdf8550-ed1c-4e63-b9a5-472e3c7670d1/0e93b8fc-a236-4270-9221a-3d7b5fab9d34; _forward_auth_csrf=8504ce17b0e1f60f8ee3ab5082ec53ef' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=generic' \
--data-urlencode 'client_secret=d6b195cb-b2a6-4093-ab1f-b553af5482fb' \
--data-urlencode 'scope=openid' \
--data-urlencode 'username=steve' \
--data-urlencode 'password=noyoudont!'

The returned body is a valid JWT. I tried the same with grant_type=password as was suggested in other googled resources, but neither worked:

Recap:
I want to generate a api access code in order to have node-red authenticate to resources protected by Traefik 2.2 without an interactive login.

POST https://keycloak.mydomain/auth/realms/master/protocol/openid-connect/token

returned a valid JWT including access_token

GET https://whoami.mydomain?access_token=1300charactershere returns:

Keycloak
We are sorry...
Invalid Request

Has anyone managed this type of access?

regards
Steve

1 Like

I am also facing the same issue, Is that resolved. any solution for this scenario.
I can connect to my keylock auth server if I open the resource in the browser,
But If I use the postman as part of API testing then the token is not working.
We have used "mesosphere/traefik-forward-auth" image as middleware to connect the keyclock.

Just coming back to this topic. Still no success, but did take a look at the new Traefik Hub beta and it might offer a solution - it currently adds basic auth and JWT auth to published services...