Refresh access_token via refresh_token in Keycloak
Solution 1
keycloak has REST API for creating an access_token using refresh_token. It is a POST endpoint with application/x-www-form-urlencoded
Here is how it looks:
Method: POST
URL: https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/token
Body type: x-www-form-urlencoded
Form fields:
client_id : <my-client-name>
grant_type : refresh_token
refresh_token: <my-refresh-token>
This will give you new access token using refresh token.
NOTE: if your refresh token is expired it will throw 400 exception in that you can make user login again.
Check out a sample in Postman, you can develop and corresponding API using this.
Solution 2
@maslick is correct you have to supply the client secret too, no need for authorization header in this case:
http://localhost:8080/auth/realms/{realm}/protocol/openid-connect/token
In case of expired refresh token it returns:
If you don't add the secret you get 401 unauthorized even though the refresh token is correct
Solution 3
I tried with 4.8.2.Final, it gives following unauthorized_client even with previous access token as 'Bearer'.
Then I tried with Basic YXBwLXByb3h5OnNlY3JldA== in Authorization header.
Then it worked, But still I'm not sure that I am doing right thing.
Solution 4
Extending Yogendra Mishra's answer. Note that
client_id and client_secret can also be sent in Authorization header.
Authorization: Basic ${Base64(<client_id>:<client_secret>)}
This works for both initial token call (without refresh token) and refresh token call to /openid-connect/token endpoint
Reference: https://developer.okta.com/docs/reference/api/oidc/#client-secret
Related videos on Youtube
12 : 37
13 : 25
16 : 46
09 : 07
08 : 30
15 : 58
42 : 55
RaiBnod
Software engineer with more than 7 years of mixed experiences on Big Data applications, IoT technologies, B2B, B2C eCommerce products. Skilled at optimizing user-friendly interfaces and software capabilities through the integration of the latest technologies and techniques. Capable of translating user requirements into new features and functionality through cutting-edge solutions and seamless deliverables.
Updated on February 11, 2022Comments
-
RaiBnod about 2 years
I need to make the user keep login in the system if the user's
access_tokenget expired and user want to keep login. How can I get newly updatedaccess_tokenwith the use ofrefresh_tokenon Keycloak?I am using vertx-auth for the auth implementation with Keycloak on vert.x. Is it possible to refresh
access_tokenwith vertx-auth or Keycloak's REST API itself? Or what will be another implementation of this? -
rrrocky over 5 yearsI tried this with
2.5.4and it still requires the client secret for this request. It makes now sense though as to why the client secret will be required if the refresh token is being provided. -
rrrocky over 5 yearsThe client secret is required only if it is a confidential client. Public clients do not require the client secret.
-
Kimble over 5 yearsCan someone explain why the client secret is required when refreshing a token for a confidential client?
-
charliebeckwith over 5 yearsFor the Authorization headers it all comes down to what the server is looking for in the header value. If this works then you're probably not incorrect.
-
maslick about 5 yearsYou're probably using a confidential client, so you need to includeclient_secretin the request -
Panup Pong over 4 years@all ,Why refresh token is jwt format? stateless but google and auth0 use stateful. -
ganesan arunachalam almost 4 yearswhy would anyone want to use refresh token if I have to pass client_secret for confidential client? IMO, Keycloak should return access_token just by passing client_id and refresh_token since it acts like a secret.
-
bck over 3 years@Kimble confidential client in Keycloak is meant to server applications, where storing a client secret is secure. Take a look on the docs (here)[keycloak.org/docs/6.0/server_admin/#oidc-clients] -
iamatsundere181 over 3 yearsHi all, I know it's old but I want to ask a bit. I use login phase to get the init token with aud=app1 for example. But when the token is expired, I tried and to refresh the token by calling http://{uri}/realms/{my_realm}/protocol/openid-connect/token, and the result I get the token with different aud, like aud=app2. So how can It be and how can I change app2 to app1, thanks! -
Matteo over 2 years@BasselKh so client secret is not needed? If so may I ask your client configuration? Thanks
-
Bassel Kh over 2 years@Matteo : grant_type: refresh_token , client_id: your client id , refresh_token: the original refresh token
-
Matteo over 2 yearsI have just tested it, you only need the client secret if the client that issued the token is confidential
-
Antonis S over 2 yearsIt seems this request also returns a new refresh token. Is this correct? If we want to renew an access token, the refresh token should be refreshed as well? Or the correct flow will be: use access tokens -> if access token expires: use refresh token to get new access token -> if refresh token expires: login and get new refresh and access token. By always creating a new refresh token, it seems that logout could never hapen.
