Authentication Methods¶
Keycloak offers several methods of authentication. SEAL Systems products use the following:
-
Authorization Code Flow, which is used by
- PLOSSYS Administrator
- SEAL OP-CLI
- SEAL Operator/SEAL Print Client
-
Password Flow, which is used by
- easyPRIMA
- PLOSSYS CLI
- PLOSSYS DocPrint
- SEAL OP-CLI
-
Client Credentials Flow, which is used by
- PLOSSYS Infoclient
- Web Portal
Authorization Code Flow¶
Authorization Code Flow is used for clients with interactive authentication via browser. SEAL clients use the OAuth 2.0 Code Flow.
The Authorization Code Flow procedure is as follows:
-
The user opens the URL of the web application.
-
The UI server of the web application checks, whether the user request already contains an valid JSON Web Token.
-
If there is no JSON Web Token, the UI server redirects the user request to the identity provider.
-
The user authenticates directly at the identity provider, which then redirects back to the UI server.
-
The UI server registers the now present JSON Web Token and allows using the application.
-
If the JSON Web Token is expired, the UI server requests a new access token from the identity provider. This is done in the background without any interaction with the user.
Password Flow¶
Password Flow is used for clients with non-interactive authentication. SEAL clients use the OAuth 2.0 Password Flow.
The Password Flow procedure is as follows:
-
The user authenticates at the client with his credentials, i. e. enters user name and password.
-
With these credentials, the client application requests an access token from the identity provider.
-
After receiving the token from the identity provider, the client grants access to the application.