SPNEGO/GSSAPI authentication without browser/redirect-based flow

[Jesper Dam]

We have a native application which currently does not use Keycloak which is able to do SSO authentication using GSSAPI/Kerberos.
We're looking at moving to Keycloak, and I'm wondering if there is a way to support the same use case.

From browsing the documentation, it appears Keycloak supports SPNEGO, which would be fine, except it still seems to be tied to the browser-based flow, which means we depend on the browser having SPNEGO supported/enabled, and also we lose the ability to provide a kerberos ticket cache of our choice rather than just using the system default.

What we'd like instead is something like the password grant flow, where the application can just make an HTTP request to keycloak with the SPNEGO token, and get a Keycloak access token back, without having to rely on a browser, html, javascript and page redirects.

Is anything like this possible?

Thanks in advance,

/ Jesper

[Evan Schnell]

This old list thread seems to align with what I'd recommend for sending the kerberos token via the direct grant somehow.  The Keytab file specified under LDAP should be able to check it.  

 https://lists.jboss.org/pipermail/keycloak-user/2017-June/010925.html 

The Jira it referenced is closed so probably can't expect an OOTB solution at this point, right?  

- https://issues.redhat.com/browse/KEYCLOAK-1751

Does anyone have sample code for either client or SPI? 

Thanks, Evan