[keycloak-user] how to get a token in js webapp for bearer-only backend api client
chapani
chapani at protonmail.com
Tue Nov 20 08:27:58 EST 2018
Hi,
I got this setup for my app:
1. Keycloak server
2. Keycloak-protected nodejs backend (bearer-only)
3. PHP/Reactjs frontend
The frontend is optionally login-protected. For some users it will be required to login which will redirect the user to Keycloak server. After a user is logged in, the frontend will have a bearer token to make api calls to the keycloak-protected backend.
My problem is how to get a bearer token for users that don't need to be logged in (anonymous users).
I tried this approach:
1. Created "confidential" client to be used by PHP.
2. Frontend PHP gets a bearer token using client_id and client_secret and passes them to javascript (by that I mean, printing out token values inside <script> tag which is a global variable)
3. Initially, the frontend makes successful api calls because the access_token passed by php is fresh/valid.
4. After the access_token is expired, I will need to fetch a new one using refresh_token.
5. But, for that I need client_secret which is not available in the js app (and it's not recommended to save client_secret and password in js app, as you know).
I'm stuck here. I researched, read a lot of documentation, but failed to find a way to achieve that.
One other idea that crossed my mind was to make the bearer access_token long-lived; 6 hours, for instance. But, some users may use the app for more than that.
What options do I have?
Sent with [ProtonMail](https://protonmail.com) Secure Email.
More information about the keycloak-user
mailing list