Versions Compared

Old Version 30

changes.mady.by.user Annegret Bernhardt

Saved on

compared with

New Version 31

changes.mady.by.user Annegret Bernhardt

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: keycloak_tokens divided into: keycloak_tokens_get_secret, keycloak_tokens_retrieve_token

...

Multiexcerpt
MultiExcerptNameunable_to_render_definition


Note

Please note that the autosave is not triggered after the upload of an invalid file.
If the definition content shows the message Unable to render this definition, your changes are not saved but discarded if you leave the page.


keycloak_tokens_get_secret

Info
titleUsed on:

...

Multiexcerpt
MultiExcerptNamekeycloak_tokens_get_secret

Working with Keycloak Tokens

With PAS 23.1.1, the Scheer PAS installation comes with the default Keycloak client api-management-oauth. Keycloak clients are entities that can request Keycloak to authenticate a user. In most cases, Keycloak clients are applications and services that want to use Keycloak to secure themselves and provide a single sign-on solution. However, clients can also be entities that just want to request identity information or an access token so that they can securely invoke other services on the network.

If you use the Keycloak OAuth policy, we recommend to check against the default client api-management-oauth.

Multiexcerpt include
SpaceWithExcerptINTERNAL
MultiExcerptNameinfo_create_keycloak_client
PageWithExcerpt_general_excerpts

How to Get the Secret

To retrieve a Keycloak token, you need to know the secret of the used client.

Open the Identity Managament (Keycloak).

Info

If your user has no permission for the identity management, contact an administrator and ask him to provide the secret.


You will find the secret of the client in the PAS realm:

Clients > Credentials > Client Authenticator: Client Id and Secret > Client secret

Info

If field Client secret does not contain any content, click Regenerate once.

How to Retrieve the Keycloak Token



keycloak_tokens_retrieve_token

Info
titleUsed on:


Multiexcerpt
MultiExcerptNamekeycloak_tokens_retrieve_token

The token exchange in Keycloak is a very loose implementation of the IETF's OAuth Token Exchange specification. It is a simple grant call on the OpenID Connect token endpoint of a realm. It accepts form parameters (application/x-www-form-urlencoded) as input. The output depends on the type of token for which you requested an exchange. The token exchange is a client endpoint, so requests must include authentication information for the calling client.

The client_secret parameter is required for clients that use form parameters for authentication and use a client secret as credentials. A list of all form parameters can be found in the official Keycloak documentation > Form parameters.

The token URL is composed as follows:

  • https://<system name>/<client name>/keycloak/realms/<realm name>/ protocol/openid-connect/token

Example:

Send your request to the token URL.

Example:

Code Block
titleExample Request
curl --location 'https://scheer-acme.com/acme-test/keycloak/realms/PAS/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'username=<username>' \
--data-urlencode 'password=<password>' \
--data-urlencode 'client_id=api-management-oauth' \
--data-urlencode 'client_secret=<client-secret>' \
--data-urlencode 'grant_type=password'
 A

A successful response from an exchange call returns the HTTP 200 response code with a content type that depends on the requested-token-type and requested_issuer. Clients requesting a refresh token receive both an access token and refresh token back in the response. Clients requesting only an access token receive only an access token in the response.

Expand
titleClick here to view an example response


Code Block
titleExample Response
{
    "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
    "expires_in": 300,
    "refresh_expires_in": 7200,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
    "token_type": "Bearer",
    "not-before-policy": 0,
    "session_state": "f5dd0490-aaf8-42f7-87b5-df0c7b1cb4a7",
    "scope": "email profile pas_user"
}



Tip
titleExpert Advice

For detailed information about the token exchange, refer to the official Keycloak documentation > Using token exchange.

How to Use the Token for a Request

You have to send the received token with each request as authorization header

.

If you use the PAS internal request UI (Swagger UI), the token is set automatically.

Example:

Code Block
titleExample API Request
curl --location 'https://scheer-acme.com/acme-test/gateway/test/hello-oauth/1.0' \ --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'


policy_overview

Info
titleUsed on:

...