keycloak-scim/server_admin/topics/identity-broker/tokens.adoc

27 lines
1.5 KiB
Text
Raw Normal View History

2016-05-26 16:09:04 +00:00
2016-05-27 15:23:34 +00:00
=== Retrieving External IDP Tokens
2016-05-26 16:09:04 +00:00
2017-08-28 12:50:14 +00:00
{project_name} allows you to store tokens and responses from the authentication process with the external IDP.
2016-05-27 15:23:34 +00:00
For that, you can use the `Store Token` configuration option on the IDP's settings page.
2016-05-26 16:09:04 +00:00
2016-05-27 15:23:34 +00:00
Application code can retrieve these tokens and responses to pull in extra user information, or to securely invoke requests on the external IDP.
For example, an application might want to use the Google token to invoke on other Google services and REST APIs.
2016-05-26 16:09:04 +00:00
To retrieve a token for a particular identity provider you need to send a request as follows:
[source,java]
----
GET /auth/realms/{realm}/broker/{provider_alias}/token HTTP/1.1
Host: localhost:8080
2017-09-05 07:49:24 +00:00
Authorization: Bearer <KEYCLOAK ACCESS TOKEN>
2016-05-26 16:09:04 +00:00
----
2017-08-28 12:50:14 +00:00
An application must have authenticated with {project_name} and have received an access token. This access token
2016-05-27 15:23:34 +00:00
will need to have the `broker` client-level role `read-token` set. This means that the user must have a role mapping for this role
and the client application must have that role within its scope.
2017-08-28 12:50:14 +00:00
In this case, given that you are accessing a protected service in {project_name}, you need to send the access token issued by {project_name} during the user authentication.
2016-05-26 16:09:04 +00:00
In the broker configuration page you can automatically assign this role to newly imported users by turning on the `Stored Tokens Readable` switch.
2017-03-09 21:21:37 +00:00
These external tokens can be re-established by either logging in again through the provider, or using the client initiated account linking API.