Authentication REST API


I’m trying to identify the keycloak REST API used during authentication; this doesn’t seem to be documented in the keycloak REST API document.

Running the keycloak UI, I enter credentials at the ‘Sign in to your account’ prompt, and click ‘Sign In’. Using developer tools in Google Chrome, I’m able to see the REST API that is used:


Query String Parameters

session_code: 4Px1gX85nczeCtbKloWWVACCaKRgPyQbeR1Cdsdy6ZQ
execution: c53355ab-0680-4273-b7a9-6e31aa51d41f
client_id: account-console
tab_id: dm_nsFMmEZg

Form Dataview

username: Administrator
password: *Tee.off001

In addition to authenticating based on username and password, my application also authenticates based on membership in a group. Is this supported by this authentication REST API?


So, to try and make sense of what you’re seeing, the authentication flow name “Browser” includes an execution “Username Password Form” with a providerId of auth-username-password-form. That correlates with UsernamePasswordFormFactory and UsernamePasswordForm which you can read on GitHub. That’s the code that’s being executed to authenticate your user when you’re logging into Keycloak. And “execution” is a step in the “flow” and for a given flow all executions are run through leading to the user being authenticated or rejected.

All the params you’re seeing correlate with the code being executed and let Keycloak figure out where you are in the flow so that it can perform actions or go on to the next execution.

Are you trying to call into something or are you just trying to understand the flow?

Thanks for this explanation. Looking at the REST API manual, I see many REST API calls related to authentication. I see calls that allow CRUD operations to allow me to change various aspects/components of the authentication flow. But I’m not finding a REST API call that I use to initiate execution of, for instance, the “Browser” authentication flow. Thanks.

Typical OIDC or OAuth flow redirects the user’s browser to an authentication service (in this case Keycloak) to initiate and handle the authentication flow. There’s a list of Adapters to manage this; I’ll reference the Java Servlet-Filter one here as the code is pretty easy to follow.

The AuthChallenge generates a redirect to the Keycloak server based on the client-id and client secret (part of the client config) and from there Keycloak knows what flow to initiate based on the client config.

If you’re trying to start the flow directly as a backend application call to Keycloak then it sounds like you’re wanting the Direct-Grant flow. This isn’t as secure as it allows the end-user’s credentials to pass through the client application but it is supported by Keycloak. This flow lets you just send a username and password to a Keycloak REST API to get an access token (and id token).

I hope something in that explanation helps. If you look for examples of using one of the Adapters or examples of the Direct-Grant flow there are plenty.

Thanks very much for your patient tutoring!