Working with Keycloak TokensWith PAS 23.1.1, the Scheer PAS installation comes with the default Keycloak client api-management-oauth. Keycloak clients are entities that can request Keycloak to authenticate a user. In most cases, Keycloak clients are applications and services that want to use Keycloak to secure themselves and provide a single sign-on solution. However, clients can also be entities that just want to request identity information or an access token so that they can securely invoke other services on the network. If you use the Keycloak OAuth policy, we recommend to check against the default client api-management-oauth. Multiexcerpt include |
---|
SpaceWithExcerpt | INTERNAL |
---|
MultiExcerptName | info_create_keycloak_client |
---|
PageWithExcerpt | _general_excerpts |
---|
|
How to Get the SecretTo retrieve a Keycloak token, you need to know the secret of the used client. Image Modified | Open the Identity Managament (Keycloak). Info |
---|
If your user has no permission for the identity management, contact an administrator and ask him to provide the secret. |
| Image Modified | You will find the secret of the client in the PAS realm: Clients > Credentials > Client Authenticator: Client Id and Secret > Client secret Info |
---|
If field Client secret does not contain any content, click Regenerate once. |
| How to Retrieve the Keycloak TokenThe token exchange in Keycloak is a very loose implementation of the IETF's OAuth Token Exchange specification. It is a simple grant call on the OpenID Connect token endpoint of a realm. It accepts form parameters (application/x-www-form-urlencoded ) as input. The output depends on the type of token for which you requested an exchange. The token exchange is a client endpoint, so requests must include authentication information for the calling client. The client_secret parameter is required for clients that use form parameters for authentication and use a client secret as credentials. A list of all form parameters can be found in the official Keycloak documentation > Form parameters. The token URL is composed as follows: https://<system name>/<client name>/keycloak/realms/<realm name>/ protocol/openid-connect/token
Example: - https://scheer-acme.com/acme-test/keycloak/realms/PAS/protocol/openid-connect/token
Send your request to the token URL. Example: Code Block |
---|
| curl --location 'https://scheer-acme.com/acme-test/keycloak/realms/PAS/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'username=<username>' \
--data-urlencode 'password=<password>' \
--data-urlencode 'client_id=api-management-oauth' \
--data-urlencode 'client_secret=<client-secret>' \
--data-urlencode 'grant_type=password' |
A successful response from an exchange call returns the HTTP 200 response code with a content type that depends on the requested-token-type and requested_issuer . Clients requesting a refresh token receive both an access token and refresh token back in the response. Clients requesting only an access token receive only an access token in the response. Expand |
---|
title | Click here to view an example response |
---|
|
Code Block |
---|
| {
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
"expires_in": 300,
"refresh_expires_in": 7200,
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
"token_type": "Bearer",
"not-before-policy": 0,
"session_state": "f5dd0490-aaf8-42f7-87b5-df0c7b1cb4a7",
"scope": "email profile pas_user"
} |
|
How to Use the Token for a RequestYou have to send the received token with each request as authorization header. If you use the PAS internal request UI (Swagger UI), the token is set automatically. Example: Code Block |
---|
| curl --location 'https://scheer-acme.com/acme-test/gateway/test/hello-oauth/1.0' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c' | Authentication With Keycloak OAuthKEYCLOAKOAUTH
|