[keycloak-dev] Support rfc6750 Form-Encoded Body Parameter for access tokens in Keycloak

Alexander Schwartz alexander.schwartz at gmx.net
Fri Apr 28 10:30:22 EDT 2017

Hi Keycloak Developers,

RFC6750 allows the access token to be submitted as part of a POST 
request. I found that this is the only good way to do file downloads in 
a JavaScript frontend.


Excerpt: When sending the access token in the HTTP request entity-body, 
client adds the access token to the request-body using the 
"access_token" parameter. [...] Resource servers MAY support this method.

I don't remember a thread on this mailing list. The only place I could 
find in the code was the User Endpoint that does this quite manually.

Currently Keycloak only supports the query parameter using 
QueryParamterTokenRequestAuthenticator. A similar class will be needed 
to support a Form Parameter. Like the 
QueryParamterTokenRequestAuthenticator it will be part of the request 
processing and it will not be configurable.

I'd like to open a JIRA issue for this as part of the Java Keycloak 
Clients to track the efforts and thoughts.

Comments welcome!


Alexander Schwartz (alexander.schwartz at gmx.net)

More information about the keycloak-dev mailing list