[keycloak-user] Access token or ID token

Scott Rossillo srossillo at smartling.com
Tue Aug 2 15:19:59 EDT 2016


Just to address your concern about Angular vs Java: Angular uses OIDC implicit flow and the Java adapters use the authorization code flow.  You don’t get an access token or id token back from the login redirect. You get an authorization code which may then be exchanged for a set of OIDC tokens.

The authorization code flow is something like:

User -> Service : request a secured resource
Service -> User: redirect to Keycloak login page
User -> Keycloak : submit login page
Keycloak -> User : redirect back to Service with this authorization code on the URL
User -> Service: original request + code
Service -> Keycloak : exchange auth code for token(s), store tokens, serve secure resource

The authorization code flow doesn’t expose the actual tokens to the user and is considered more secure.

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

> On Aug 2, 2016, at 8:05 AM, Mohan.Radhakrishnan at cognizant.com wrote:
> 
> It is working as you describe. I can either get access or ID token.
>  
> In either case - response_type=id_token and response_type=id_token%20token – the method call is the same.
>  
>        KeycloakPrincipal.getKeycloakSecurityContext().getToken().
>                                                        getRealmAccess().getRoles().stream().forEach( f -> System.out.println( f ));
> It works like that.
>  
> So here keycloak.json is used by the filter to validate the ID token by contacting the the IDP and then also requesting for the access token. Right ?
>  
> The doubt I still have is my other thread(http://lists.jboss.org/pipermail/keycloak-user/2016-July/007064.html <http://lists.jboss.org/pipermail/keycloak-user/2016-July/007064.html>)
>  
> The answer there mentions that  when a request comes into the website the application, the session ID is used to establish who you are.
> But that is the ID token. Hope I am mixing two different concerns here.
>  
> Thanks,
> Mohan
> From: Marek Posolda [mailto:mposolda at redhat.com <mailto:mposolda at redhat.com>] 
> Sent: Monday, August 01, 2016 10:50 PM
> To: Radhakrishnan, Mohan (Cognizant) <Mohan.Radhakrishnan at cognizant.com <mailto:Mohan.Radhakrishnan at cognizant.com>>; keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Access token or ID token
>  
> Not sure exactly about all the details of your setup etc. However from the first look, if you use "response_type=id_token" , then Keycloak will return you just idToken, but not accessToken at all. 
> 
> If you want both idToken and accessToken, you need to use value "id_token token". 
> 
> So encoded parameter will be something like "response_type=id_token%20token"
> 
> Marek
> 
> On 01/08/16 11:41, Mohan.Radhakrishnan at cognizant.com <mailto:Mohan.Radhakrishnan at cognizant.com> wrote:
> Hi,
>                 My ID token flow and OIDC filter are working. But I am still doubtful about my implementation. When I used another IDP(IdentifyServer3) the redirect URL issued from
> AngularJS gave me the access token with the ID token embedded in it directly.
>  
> But now I am using this code.
>  
>               AccessToken accessToken = keycloakPrincipal.getKeycloakSecurityContext().getToken();
>  
> URL is this.
> http://localhost:8080/auth/realms/Test/protocol/openid-connect/auth?response_type=id_token&redirect_uri=http://localhost:8000/keycloak/claim/&realm=Test&client_id=Test&scope=user <http://localhost:8080/auth/realms/Test/protocol/openid-connect/auth?response_type=id_token&redirect_uri=http://localhost:8000/keycloak/claim/&realm=Test&client_id=Test&scope=user>
>  
> And https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/javascript-adapter.html <https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/javascript-adapter.html> mentions that keycloak.json is required to get the access token in AngularJS.
>  
> Am I missing something ? Why is there a difference ?
>  
> Thanks,
> Mohan
> This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored. 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>  
> This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored. _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/81abbc7b/attachment-0001.html 


More information about the keycloak-user mailing list