[keycloak-user] Access token or ID token
Bill Burke
bburke at redhat.com
Tue Aug 2 15:25:06 EDT 2016
Keycloak devs recommend using our javascript adapter and auth-code
flow. Why? Implicit flow requires you to re-do the browser redirect
dance when the access token expires.
On 8/2/16 3:19 PM, Scott Rossillo wrote:
>
> Just to address your concern about Angular vs Java: Angular uses OIDC
> implicit flow and the Java adapters use the authorization code flow.
> You don’t get an access token or id token back from the login
> redirect. You get an authorization code which may then be exchanged
> for a set of OIDC tokens.
>
> The authorization code flow is something like:
>
> User -> Service : request a secured resource
> Service -> User: redirect to Keycloak login page
> User -> Keycloak : submit login page
> Keycloak -> User : redirect back to Service with this authorization
> code on the URL
> User -> Service: original request + code
> Service -> Keycloak : exchange auth code for token(s), store tokens,
> serve secure resource
>
> The authorization code flow doesn’t expose the actual tokens to the
> user and is considered more secure.
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
>
>> On Aug 2, 2016, at 8:05 AM, Mohan.Radhakrishnan at cognizant.com
>> <mailto:Mohan.Radhakrishnan at cognizant.com> wrote:
>>
>> It is working as you describe. I can either get access or ID token.
>> In either case -response_type=id_token and
>> response_type=id_token%20token – the method call is the same.
>> KeycloakPrincipal.getKeycloakSecurityContext().getToken().
>> getRealmAccess().getRoles().stream().forEach(f->
>> System.*/out/*.println(f));
>> It works like that.
>> So here keycloak.json is used by the filter to validate the ID token
>> by contacting the the IDP and then also requesting for the access
>> token. Right ?
>> The doubt I still have is my other
>> thread(http://lists.jboss.org/pipermail/keycloak-user/2016-July/007064.html)
>> The answer there mentions that when a request comes into the website the application, the session ID is used to establish who you are.
>> But that is the ID token. Hope I am mixing two different concerns here.
>> Thanks,
>> Mohan
>> *From:*Marek Posolda [mailto:mposolda at redhat.com]
>> *Sent:*Monday, August 01, 2016 10:50 PM
>> *To:*Radhakrishnan, Mohan (Cognizant)
>> <Mohan.Radhakrishnan at cognizant.com
>> <mailto:Mohan.Radhakrishnan at cognizant.com>>;keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> *Subject:*Re: [keycloak-user] Access token or ID token
>> Not sure exactly about all the details of your setup etc. However
>> from the first look, if you use "response_type=id_token" , then
>> Keycloak will return you just idToken, but not accessToken at all.
>>
>> If you want both idToken and accessToken, you need to use value
>> "id_token token".
>>
>> So encoded parameter will be something like
>> "response_type=id_token%20token"
>>
>> Marek
>>
>> On 01/08/16 11:41,Mohan.Radhakrishnan at cognizant.com
>> <mailto:Mohan.Radhakrishnan at cognizant.com>wrote:
>>
>> Hi,
>> My ID token flow and OIDC filter are working. But I am still
>> doubtful about my implementation. When I used another
>> IDP(IdentifyServer3) the redirect URL issued from
>> AngularJS gave me the access token with the ID token embedded in
>> it directly.
>> But now I am using this code.
>>
>> AccessTokenaccessToken=keycloakPrincipal.getKeycloakSecurityContext().getToken();
>> URL is this.
>> _http://localhost:8080/auth/realms/Test/protocol/openid-connect/auth?response_type=id_token&redirect_uri=http://localhost:8000/keycloak/claim/&realm=Test&client_id=Test&scope=user_
>> Andhttps://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/javascript-adapter.htmlmentions
>> that keycloak.json is required to get the access token in AngularJS.
>> Am I missing something ? Why is there a difference ?
>> Thanks,
>> Mohan
>> This e-mail and any files transmitted with it are for the sole
>> use of the intended recipient(s) and may contain confidential and
>> privileged information. If you are not the intended recipient(s),
>> please reply to the sender and destroy all copies of the original
>> message. Any unauthorized review, use, disclosure, dissemination,
>> forwarding, printing or copying of this email, and/or any action
>> taken in reliance on the contents of this e-mail is strictly
>> prohibited and may be unlawful. Where permitted by applicable
>> law, this e-mail and other e-mail communications sent to and from
>> Cognizant e-mail addresses may be monitored.
>>
>>
>> _______________________________________________
>>
>> keycloak-user mailing list
>>
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> This e-mail and any files transmitted with it are for the sole use of
>> the intended recipient(s) and may contain confidential and privileged
>> information. If you are not the intended recipient(s), please reply
>> to the sender and destroy all copies of the original message. Any
>> unauthorized review, use, disclosure, dissemination, forwarding,
>> printing or copying of this email, and/or any action taken in
>> reliance on the contents of this e-mail is strictly prohibited and
>> may be unlawful. Where permitted by applicable law, this e-mail and
>> other e-mail communications sent to and from Cognizant e-mail
>> addresses may be
>> monitored._______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/98270c55/attachment-0001.html
More information about the keycloak-user
mailing list