keycloak-scim/server_admin/topics/clients/oidc/proc-using-a-service-account.adoc

66 lines
2.3 KiB
Text
Raw Normal View History

[[_service_accounts]]
==== Using a Service Account
Each OIDC client has a built-in _service account_, which allows it to obtain an access token.
.Prerequisites
.Procedure
. Select your client in {project_name}.
. Click on the `Settings` tab.
. Set the <<_access-type, Access Type>> of your client is set to `confidential`.
. Set the `Service Accounts Enabled` switch to ON.
. Click *Save*.
. Configure your <<_client-credentials, client credentials>>.
. Click on the `Scope` tab.
. Verify that you have roles or set Full Scope Allowed to ON.
. On the `Service Account Roles` tab, configure the roles available to this service account for your client.
Roles from access tokens are the intersection of:
* Role scope mappings of a client combined with the role scope mappings inherited from linked client scopes.
* Service account roles.
The REST URL to invoke is `/auth/realms/{realm-name}/protocol/openid-connect/token`. This URL must be invoked as a POST request and requires that you post the client credentials with the request.
By default, client credentials are represented by the clientId and clientSecret of the client in the `Authorization: Basic` header but you can also authenticate the client with a signed JWT assertion or any other custom mechanism for client authentication.
You also need to set the `grant_type` parameter to "client_credentials" as per the OAuth2 specification.
For example, the POST invocation to retrieve a service account can look like this:
[source]
----
POST /auth/realms/demo/protocol/openid-connect/token
Authorization: Basic cHJvZHVjdC1zYS1jbGllbnQ6cGFzc3dvcmQ=
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
----
The response would be similar to this https://tools.ietf.org/html/rfc6749#section-4.4.3[Access Token Response] from the OAuth 2.0 specification.
[source]
----
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"bearer",
"expires_in":60,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"refresh_expires_in":600,
"id_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"not-before-policy":0,
"session_state":"234234-234234-234234"
}
----
The retrieved access token can be refreshed or logged out by an out-of-bound request.