keycloak-scim/server_admin/topics/identity-broker/tokens.adoc

18 lines
1.4 KiB
Text
Raw Normal View History

2016-05-26 16:09:04 +00:00
2016-05-27 15:23:34 +00:00
=== Retrieving External IDP Tokens
2016-05-26 16:09:04 +00:00
With {project_name}, you can store tokens and responses from the authentication process with the external IDP using the `Store Token` configuration option on the IDP's settings page.
2016-05-26 16:09:04 +00:00
Application code can retrieve these tokens and responses to import extra user information or to request the external IDP securely. For example, an application can use the Google token to use other Google services and REST APIs. To retrieve a token for a particular identity provider, send a request as follows:
2016-05-26 16:09:04 +00:00
[source,subs="attributes+"]
2016-05-26 16:09:04 +00:00
----
GET /auth/realms/{realm}/broker/{provider_alias}/token HTTP/1.1
Host: localhost:8080
2017-09-05 07:49:24 +00:00
Authorization: Bearer <KEYCLOAK ACCESS TOKEN>
2016-05-26 16:09:04 +00:00
----
An application must authenticate with {project_name} and receive an access token. This access token must have the `broker` client-level role `read-token` set, so the user must have a role mapping for this role, and the client application must have that role within its scope. In this case, since you are accessing a protected service in {project_name}, send the access token issued by {project_name} during the user authentication. You can assign this role to newly imported users in the broker configuration page by setting the *Stored Tokens Readable* switch to *ON*.
2017-03-09 21:21:37 +00:00
These external tokens can be re-established by logging in again through the provider or using the client-initiated account linking API.