[keycloak-user] Use refresh token for authentication

Sebastian Olscher sebastian.olscher at traveltainment.de
Wed Sep 16 06:25:56 EDT 2015

Hello guys,

we ´re using the "Direct Grant Access" flow described in chapter 15 in the keycloak users documentation. As we understood, the following steps are necessary:

1.: Do the token request with "username/password" and "grant_type=password" to the token server (keycloak).
2.: The token response from keycloak contains an "access_token" and a "refresh_token".
3.: Normally, the client uses the "access_token" within the HTTP-Header (Authorization Bearer *access_token*) to do the authentication.

Everything works as expected. We have found that you can also use the "refresh_token" instead of the "access_token" in step 3 to do the authentication and it will be still successful. From our point of view, this is possible, because the keycloak-wildfly-security-module does not check the token-type. But, from our understanding the "refresh_token" is not intended to do the authentication, so this should not work, right? So my two questions are:

1.: Why is the authentication with the "refresh_token" successful?
2.: The "refresh_token" in the token response is defined as an optional element within the OAUth-2.0 specification, so is there any possibility to prevent keycloak returning it?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150916/e100374c/attachment-0001.html 

More information about the keycloak-user mailing list