Keycloak Client Credentials Flow Clarification

openid-connect keycloak
23,181

I think you're misunderstanding some Oauth concepts right here. The client_credentials grant should only be used for a service itself to grant access to an specific resource. Imagine this scenario:

End User -> Docs Service -> Docs Repo

The end user has access to some docs stored in the repo through the docs service. In this case, the service makes the decision to grant the user access to a specific document or not, since the repo is a mere content server. Obviously, both of them are secured through two different keycloak clients.

However, the docs service needs to have full access to the repo. He can access any document he requests. The solution is to give the docs service a service account role, let's say DOC_MANAGER and make the repo check for this role when a resource is requested. The service authenticates with client_credentials and gets access to the resource as a service.

But the end user will perform a standard login, using the Authorization code flow, for example, and get access to the doc through the service. The service will check for another role, let's say DOC_USER and check whether the user has access to this concrete resource or not, before going to the repo.

You can read more about keycloak service accounts here.

Share:
23,181
Admin
Author by

Admin

Updated on July 05, 2022

Comments

  • Admin
    Admin almost 2 years

    I am using Keycloak server to implement SSO. I am able to get access token for a specific client using client_credentials flow.

    However, my observation is that the access token is granted for internal service account of the client. I would like to get access token for other users present in realm by providing some additional parameter to the token endpoint.

    Below is the current request I make to token endpoint using Postman Chrome extension:

    POST http://localhost:8080/auth/realms/<realm>/protocol/<protocol>/token

x-www-form-urlencoded

grant_type        client_credentials
client_id         <client_id>
client_secret     <client_secret>

    Please let me know if this possible. Also, I would like to convey that am totally new to Keycloak and openid-connect protocol.

  • Admin
    Admin over 7 years
    Thank you very much for the explanation. It's very clear and understandable. I myself had a similar thought. I asked this because this is the requirement given to me. Now, I confirmed the requirement given to me doesn't make any sense. :-)
  • Sèb
    Sèb over 6 years
    The last link lead me to a 404 page :/
  • Aritz
    Aritz over 6 years
    @Sèb fixed ;-)))
  • Dubrzr
    Dubrzr about 2 years
    This does work if you want to have full access to the Docs Repo, but let's say you want to restrict access to the Docs Repo to just a part of it using rights based on a user in a realm instead of a role specified in the access token? This does not work. I don't get why the flow could not deliver access tokens to Docs Service using user/password from a realm? Why must we use a client_id and client_secret ?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Keycloak Access Token vs UserInfo token?
Keycloak, openId-connect userInfo
Refresh token with Keycloak
Keycloak: Get authorization code in JSON?
Keycloak User federation using existing MySQL database for users authentication
Login to Keycloak using API
How to specify refresh tokens lifespan in Keycloak
Keycloak .well-known/openid-configuration is not responding with "https" protocol for the endpoints
Using OpenID/Keycloak with Superset
Keycloak Invalid token issuer