[keycloak-user] Access token or ID token

Bill Burke bburke at redhat.com
Tue Aug 2 15:25:06 EDT 2016


Keycloak devs recommend using our javascript adapter and auth-code 
flow.  Why?  Implicit flow requires you to re-do the browser redirect 
dance when the access token expires.


On 8/2/16 3:19 PM, Scott Rossillo wrote:
>
> Just to address your concern about Angular vs Java: Angular uses OIDC 
> implicit flow and the Java adapters use the authorization code flow. 
>  You don’t get an access token or id token back from the login 
> redirect. You get an authorization code which may then be exchanged 
> for a set of OIDC tokens.
>
> The authorization code flow is something like:
>
> User -> Service : request a secured resource
> Service -> User: redirect to Keycloak login page
> User -> Keycloak : submit login page
> Keycloak -> User : redirect back to Service with this authorization 
> code on the URL
> User -> Service: original request + code
> Service -> Keycloak : exchange auth code for token(s), store tokens, 
> serve secure resource
>
> The authorization code flow doesn’t expose the actual tokens to the 
> user and is considered more secure.
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
>
>> On Aug 2, 2016, at 8:05 AM, Mohan.Radhakrishnan at cognizant.com 
>> <mailto:Mohan.Radhakrishnan at cognizant.com> wrote:
>>
>> It is working as you describe. I can either get access or ID token.
>> In either case -response_type=id_token and 
>> response_type=id_token%20token – the method call is the same.
>> KeycloakPrincipal.getKeycloakSecurityContext().getToken().
>> getRealmAccess().getRoles().stream().forEach(f-> 
>> System.*/out/*.println(f));
>> It works like that.
>> So here keycloak.json is used by the filter to validate the ID token 
>> by contacting the the IDP and then also requesting for the access 
>> token. Right ?
>> The doubt I still have is my other 
>> thread(http://lists.jboss.org/pipermail/keycloak-user/2016-July/007064.html)
>> The answer there mentions that   when a request comes into the website the application, the session ID is used to establish who you are.
>> But that is the ID token. Hope I am mixing two different concerns here.
>> Thanks,
>> Mohan
>> *From:*Marek Posolda [mailto:mposolda at redhat.com]
>> *Sent:*Monday, August 01, 2016 10:50 PM
>> *To:*Radhakrishnan, Mohan (Cognizant) 
>> <Mohan.Radhakrishnan at cognizant.com 
>> <mailto:Mohan.Radhakrishnan at cognizant.com>>;keycloak-user at lists.jboss.org 
>> <mailto:keycloak-user at lists.jboss.org>
>> *Subject:*Re: [keycloak-user] Access token or ID token
>> Not sure exactly about all the details of your setup etc. However 
>> from the first look, if you use "response_type=id_token" , then 
>> Keycloak will return you just idToken, but not accessToken at all.
>>
>> If you want both idToken and accessToken, you need to use value 
>> "id_token token".
>>
>> So encoded parameter will be something like 
>> "response_type=id_token%20token"
>>
>> Marek
>>
>> On 01/08/16 11:41,Mohan.Radhakrishnan at cognizant.com 
>> <mailto:Mohan.Radhakrishnan at cognizant.com>wrote:
>>
>>     Hi,
>>     My ID token flow and OIDC filter are working. But I am still
>>     doubtful about my implementation. When I used another
>>     IDP(IdentifyServer3) the redirect URL issued from
>>     AngularJS gave me the access token with the ID token embedded in
>>     it directly.
>>     But now I am using this code.
>>                  
>>     AccessTokenaccessToken=keycloakPrincipal.getKeycloakSecurityContext().getToken();
>>     URL is this.
>>     _http://localhost:8080/auth/realms/Test/protocol/openid-connect/auth?response_type=id_token&redirect_uri=http://localhost:8000/keycloak/claim/&realm=Test&client_id=Test&scope=user_
>>     Andhttps://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/javascript-adapter.htmlmentions
>>     that keycloak.json is required to get the access token in AngularJS.
>>     Am I missing something ? Why is there a difference ?
>>     Thanks,
>>     Mohan
>>     This e-mail and any files transmitted with it are for the sole
>>     use of the intended recipient(s) and may contain confidential and
>>     privileged information. If you are not the intended recipient(s),
>>     please reply to the sender and destroy all copies of the original
>>     message. Any unauthorized review, use, disclosure, dissemination,
>>     forwarding, printing or copying of this email, and/or any action
>>     taken in reliance on the contents of this e-mail is strictly
>>     prohibited and may be unlawful. Where permitted by applicable
>>     law, this e-mail and other e-mail communications sent to and from
>>     Cognizant e-mail addresses may be monitored.
>>
>>
>>     _______________________________________________
>>
>>     keycloak-user mailing list
>>
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> This e-mail and any files transmitted with it are for the sole use of 
>> the intended recipient(s) and may contain confidential and privileged 
>> information. If you are not the intended recipient(s), please reply 
>> to the sender and destroy all copies of the original message. Any 
>> unauthorized review, use, disclosure, dissemination, forwarding, 
>> printing or copying of this email, and/or any action taken in 
>> reliance on the contents of this e-mail is strictly prohibited and 
>> may be unlawful. Where permitted by applicable law, this e-mail and 
>> other e-mail communications sent to and from Cognizant e-mail 
>> addresses may be 
>> monitored._______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/98270c55/attachment-0001.html 


More information about the keycloak-user mailing list