Re: [keycloak-user] Access token or ID token

Just to address your concern about Angular vs Java: Angular uses OIDC implicit flow and the Java adapters use the authorization code flow. You don’t get an access token or id token back from the login redirect. You get an authorization code which may then be exchanged for a set of OIDC tokens. The authorization code flow is something like: User -> Service : request a secured resource Service -> User: redirect to Keycloak login page User -> Keycloak : submit login page Keycloak -> User : redirect back to Service with this authorization code on the URL User -> Service: original request + code Service -> Keycloak : exchange auth code for token(s), store tokens, serve secure resource The authorization code flow doesn’t expose the actual tokens to the user and is considered more secure. Scott Rossillo Smartling | Senior Software Engineer srossillo(a)smartling.com <mailto:srossillo@smartling.com> > On Aug 2, 2016, at 8:05 AM, Mohan.Radhakrishnan(a)cognizant.com > <mailto:Mohan.Radhakrishnan@cognizant.com> wrote: > > It is working as you describe. I can either get access or ID token. > In either case -response_type=id_token and > response_type=id_token%20token – the method call is the same. > KeycloakPrincipal.getKeycloakSecurityContext().getToken(). > getRealmAccess().getRoles().stream().forEach(f-> > System.*/out/*.println(f)); > It works like that. > So here keycloak.json is used by the filter to validate the ID token > by contacting the the IDP and then also requesting for the access > token. Right ? > The doubt I still have is my other > thread(http://lists.jboss.org/pipermail/keycloak-user/2016-July/007064.html) > The answer there mentions that when a request comes into the website the application, the session ID is used to establish who you are. > But that is the ID token. Hope I am mixing two different concerns here. > Thanks, > Mohan > *From:*Marek Posolda [mailto:mposolda@redhat.com] > *Sent:*Monday, August 01, 2016 10:50 PM > *To:*Radhakrishnan, Mohan (Cognizant) > <Mohan.Radhakrishnan(a)cognizant.com > <mailto:Mohan.Radhakrishnan@cognizant.com>>;keycloak-user@lists.jboss.org > <mailto:keycloak-user@lists.jboss.org> > *Subject:*Re: [keycloak-user] Access token or ID token > Not sure exactly about all the details of your setup etc. However > from the first look, if you use "response_type=id_token" , then > Keycloak will return you just idToken, but not accessToken at all. > > If you want both idToken and accessToken, you need to use value > "id_token token". > > So encoded parameter will be something like > "response_type=id_token%20token" > > Marek > > On 01/08/16 11:41,Mohan.Radhakrishnan@cognizant.com > <mailto:Mohan.Radhakrishnan@cognizant.com>wrote: > > Hi, > My ID token flow and OIDC filter are working. But I am still > doubtful about my implementation. When I used another > IDP(IdentifyServer3) the redirect URL issued from > AngularJS gave me the access token with the ID token embedded in > it directly. > But now I am using this code. > > AccessTokenaccessToken=keycloakPrincipal.getKeycloakSecurityContext().getToken(); > URL is this. > _http://localhost:8080/auth/realms/Test/protocol/openid-connect/auth?response_type=id_token&redirect_uri=http://localhost:8000/keycloak/claim/&realm=Test&client_id=Test&scope=user_ > Andhttps://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/javascript-adapter.htmlmentions > that keycloak.json is required to get the access token in AngularJS. > Am I missing something ? Why is there a difference ? > Thanks, > Mohan > This e-mail and any files transmitted with it are for the sole > use of the intended recipient(s) and may contain confidential and > privileged information. If you are not the intended recipient(s), > please reply to the sender and destroy all copies of the original > message. Any unauthorized review, use, disclosure, dissemination, > forwarding, printing or copying of this email, and/or any action > taken in reliance on the contents of this e-mail is strictly > prohibited and may be unlawful. Where permitted by applicable > law, this e-mail and other e-mail communications sent to and from > Cognizant e-mail addresses may be monitored. > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > This e-mail and any files transmitted with it are for the sole use of > the intended recipient(s) and may contain confidential and privileged > information. If you are not the intended recipient(s), please reply > to the sender and destroy all copies of the original message. Any > unauthorized review, use, disclosure, dissemination, forwarding, > printing or copying of this email, and/or any action taken in > reliance on the contents of this e-mail is strictly prohibited and > may be unlawful. Where permitted by applicable law, this e-mail and > other e-mail communications sent to and from Cognizant e-mail > addresses may be > monitored._______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user