<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><br class=""></div><div class="">Just to address your concern about Angular vs Java: Angular uses OIDC implicit flow and the Java adapters use the authorization code flow. You don’t get an access token or id token back from the login redirect. You get an authorization code which may then be exchanged for a set of OIDC tokens.</div><div class=""><br class=""></div><div class="">The authorization code flow is something like:</div><div class=""><br class=""></div><div class="">User -> Service : request a secured resource</div><div class="">Service -> User: redirect to Keycloak login page</div><div class="">User -> Keycloak : submit login page</div><div class="">Keycloak -> User : redirect back to Service with this authorization code on the URL</div><div class="">User -> Service: original request + code</div><div class="">Service -> Keycloak : exchange auth code for token(s), store tokens, serve secure resource</div><div class=""><br class=""></div><div class="">The authorization code flow doesn’t expose the actual tokens to the user and is considered more secure.</div><br class=""><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">Scott Rossillo</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">Smartling | Senior Software Engineer</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><a href="mailto:srossillo@smartling.com" class="">srossillo@smartling.com</a></div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
</div>
</div></div><br class=""><div><blockquote type="cite" class=""><div class="">On Aug 2, 2016, at 8:05 AM, <a href="mailto:Mohan.Radhakrishnan@cognizant.com" class="">Mohan.Radhakrishnan@cognizant.com</a> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="WordSection1" style="page: WordSection1; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);"><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="color: rgb(31, 73, 125);" class="">It is working as you describe. I can either get access or ID token.<o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="color: rgb(31, 73, 125);" class=""><o:p class=""> </o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="color: rgb(31, 73, 125);" class="">In either case -<span class="Apple-converted-space"> </span></span>response_type=id_token and response_type=id_token%20token – the method call is the same.<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 10pt; font-family: Consolas;" class=""> <span class="Apple-converted-space"> </span></span><span style="font-size: 10pt; font-family: Consolas; color: rgb(106, 62, 62);" class="">KeycloakPrincipal</span><span style="font-size: 10pt; font-family: Consolas;" class="">.getKeycloakSecurityContext().getToken().</span><span style="font-size: 10pt; font-family: Consolas; color: windowtext;" class=""><o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 10pt; font-family: Consolas;" class=""> getRealmAccess().getRoles().stream().forEach(<span class="Apple-converted-space"> </span></span><span style="font-size: 10pt; font-family: Consolas; color: rgb(106, 62, 62);" class="">f</span><span style="font-size: 10pt; font-family: Consolas;" class=""><span class="Apple-converted-space"> </span>-> System.</span><b class=""><i class=""><span style="font-size: 10pt; font-family: Consolas; color: rgb(0, 0, 192);" class="">out</span></i></b><span style="font-size: 10pt; font-family: Consolas;" class="">.println(<span class="Apple-converted-space"> </span></span><span style="font-size: 10pt; font-family: Consolas; color: rgb(106, 62, 62);" class="">f</span><span style="font-size: 10pt; font-family: Consolas;" class=""><span class="Apple-converted-space"> </span>));</span><span style="font-size: 10pt; font-family: Consolas; color: windowtext;" class=""><o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="color: rgb(31, 73, 125);" class="">It works like that.<o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="color: rgb(31, 73, 125);" class=""><o:p class=""> </o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="color: rgb(31, 73, 125);" class="">So here keycloak.json is used by the filter to validate the ID token by contacting the the IDP and then also requesting for the access token. Right ?<o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="color: rgb(31, 73, 125);" class=""><o:p class=""> </o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="color: rgb(31, 73, 125);" class="">The doubt I still have is my other thread(<a href="http://lists.jboss.org/pipermail/keycloak-user/2016-July/007064.html" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">http://lists.jboss.org/pipermail/keycloak-user/2016-July/007064.html</a>)<o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="color: rgb(31, 73, 125);" class=""><o:p class=""> </o:p></span></div><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New';" class=""><span style="font-family: Calibri, sans-serif; color: rgb(31, 73, 125);" class="">The answer there mentions that </span> when a request comes into the website the application, the session ID is used to establish who you are.<o:p class=""></o:p></pre><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="color: rgb(31, 73, 125);" class="">But that is the ID token. Hope I am mixing two different concerns here.<o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="color: rgb(31, 73, 125);" class=""><o:p class=""> </o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="color: rgb(31, 73, 125);" class="">Thanks,<o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="color: rgb(31, 73, 125);" class="">Mohan<o:p class=""></o:p></span></div><div class=""><div style="border-style: solid none none; border-top-color: rgb(225, 225, 225); border-top-width: 1pt; padding: 3pt 0in 0in;" class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><b class=""><span style="color: windowtext;" class="">From:</span></b><span style="color: windowtext;" class=""><span class="Apple-converted-space"> </span>Marek Posolda [<a href="mailto:mposolda@redhat.com" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">mailto:mposolda@redhat.com</a>]<span class="Apple-converted-space"> </span><br class=""><b class="">Sent:</b><span class="Apple-converted-space"> </span>Monday, August 01, 2016 10:50 PM<br class=""><b class="">To:</b><span class="Apple-converted-space"> </span>Radhakrishnan, Mohan (Cognizant) <<a href="mailto:Mohan.Radhakrishnan@cognizant.com" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">Mohan.Radhakrishnan@cognizant.com</a>>;<span class="Apple-converted-space"> </span><a href="mailto:keycloak-user@lists.jboss.org" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">keycloak-user@lists.jboss.org</a><br class=""><b class="">Subject:</b><span class="Apple-converted-space"> </span>Re: [keycloak-user] Access token or ID token<o:p class=""></o:p></span></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Not sure exactly about all the details of your setup etc. However from the first look, if you use "response_type=id_token" , then Keycloak will return you just idToken, but not accessToken at all.<span class="Apple-converted-space"> </span><br class=""><br class="">If you want both idToken and accessToken, you need to use value "id_token token".<span class="Apple-converted-space"> </span><br class=""><br class="">So encoded parameter will be something like "response_type=id_token%20token"<br class=""><br class="">Marek<br class=""><br class="">On 01/08/16 11:41,<span class="Apple-converted-space"> </span><a href="mailto:Mohan.Radhakrishnan@cognizant.com" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">Mohan.Radhakrishnan@cognizant.com</a><span class="Apple-converted-space"> </span>wrote:<span style="font-size: 12pt;" class=""><o:p class=""></o:p></span></div></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;" class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Hi,<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> My ID token flow and OIDC filter are working. But I am still doubtful about my implementation. When I used another IDP(IdentifyServer3) the redirect URL issued from<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">AngularJS gave me the access token with the ID token embedded in it directly.<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> <o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">But now I am using this code.<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> <o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 10pt; font-family: Consolas;" class=""> AccessToken<span class="Apple-converted-space"> </span></span><span style="font-size: 10pt; font-family: Consolas; color: rgb(106, 62, 62);" class="">accessToken</span><span style="font-size: 10pt; font-family: Consolas;" class=""><span class="Apple-converted-space"> </span>=<span class="Apple-converted-space"> </span></span><span style="font-size: 10pt; font-family: Consolas; color: rgb(106, 62, 62);" class="">keycloakPrincipal</span><span style="font-size: 10pt; font-family: Consolas;" class="">.getKeycloakSecurityContext().getToken();</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 10pt; font-family: Consolas;" class=""> </span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 10pt; font-family: Consolas;" class="">URL is this.</span><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><u class=""><span style="font-size: 12pt;" class=""><a href="http://localhost:8080/auth/realms/Test/protocol/openid-connect/auth?response_type=id_token&redirect_uri=http://localhost:8000/keycloak/claim/&realm=Test&client_id=Test&scope=user" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">http://localhost:8080/auth/realms/Test/protocol/openid-connect/auth?response_type=id_token&redirect_uri=http://localhost:8000/keycloak/claim/&realm=Test&client_id=Test&scope=user</a></span></u><o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> <o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">And<span class="Apple-converted-space"> </span><a href="https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/javascript-adapter.html" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/javascript-adapter.html</a><span class="Apple-converted-space"> </span>mentions that keycloak.json is required to get the access token in AngularJS.<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> <o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Am I missing something ? Why is there a difference ?<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""> <o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Thanks,<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Mohan<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 12pt; font-family: 'Times New Roman', serif;" class="">This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.<span class="Apple-converted-space"> </span><br class=""><br class=""><br class=""><o:p class=""></o:p></span></div><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New';" class="">_______________________________________________<o:p class=""></o:p></pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New';" class="">keycloak-user mailing list<o:p class=""></o:p></pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New';" class=""><a href="mailto:keycloak-user@lists.jboss.org" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">keycloak-user@lists.jboss.org</a><o:p class=""></o:p></pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New';" class=""><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><o:p class=""></o:p></pre></blockquote><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></span></div></div><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); float: none; display: inline !important;" class="">This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.<span class="Apple-converted-space"> </span></span><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); float: none; display: inline !important;" class="">_______________________________________________</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); float: none; display: inline !important;" class="">keycloak-user mailing list</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);" class=""><a href="mailto:keycloak-user@lists.jboss.org" style="color: rgb(149, 79, 114); text-decoration: underline; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);" class="">keycloak-user@lists.jboss.org</a><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);" class=""><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" style="color: rgb(149, 79, 114); text-decoration: underline; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);" class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div></blockquote></div><br class=""></body></html>