2020-10-16 09:50:55 +00:00
[[_service_accounts]]
==== Using a Service Account
2020-10-28 20:25:47 +00:00
[role="_abstract"]
2020-10-16 09:50:55 +00:00
Each OIDC client has a built-in _service account_, which allows it to obtain an access token.
.Prerequisites
.Procedure
. Select your client in {project_name}.
2020-11-11 16:00:15 +00:00
. Click on the *Settings* tab.
. Set the <<_access-type, Access Type>> of your client is set to *confidential*.
. Set the *Service Accounts Enabled* switch to ON.
2020-10-16 09:50:55 +00:00
. Click *Save*.
. Configure your <<_client-credentials, client credentials>>.
2020-11-11 16:00:15 +00:00
. Click on the *Scope* tab.
2020-10-16 09:50:55 +00:00
. Verify that you have roles or set Full Scope Allowed to ON.
2020-11-11 16:00:15 +00:00
. On the *Service Account Roles* tab, configure the roles available to this service account for your client.
2020-10-16 09:50:55 +00:00
Roles from access tokens are the intersection of:
* Role scope mappings of a client combined with the role scope mappings inherited from linked client scopes.
* Service account roles.
The REST URL to invoke is `/auth/realms/{realm-name}/protocol/openid-connect/token`. This URL must be invoked as a POST request and requires that you post the client credentials with the request.
2020-11-11 16:00:15 +00:00
By default, client credentials are represented by the clientId and clientSecret of the client in the *Authorization: Basic* header but you can also authenticate the client with a signed JWT assertion or any other custom mechanism for client authentication.
2020-10-16 09:50:55 +00:00
2020-11-11 16:00:15 +00:00
You also need to set the *grant_type* parameter to "client_credentials" as per the OAuth2 specification.
2020-10-16 09:50:55 +00:00
For example, the POST invocation to retrieve a service account can look like this:
[source]
----
POST /auth/realms/demo/protocol/openid-connect/token
Authorization: Basic cHJvZHVjdC1zYS1jbGllbnQ6cGFzc3dvcmQ=
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
----
The response would be similar to this https://tools.ietf.org/html/rfc6749#section-4.4.3[Access Token Response] from the OAuth 2.0 specification.
[source]
----
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"bearer",
"expires_in":60,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"refresh_expires_in":600,
"id_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"not-before-policy":0,
"session_state":"234234-234234-234234"
}
----
The retrieved access token can be refreshed or logged out by an out-of-bound request.