keycloak-scim/server_admin/topics/clients/oidc/proc-using-a-service-account.adoc

[id="proc-using-service-account_{context}"]

[[_service_accounts]]
= Using a service account
[role="_abstract"]
Each OIDC client has a built-in _service account_. Use this _service account_ to obtain an access token.

.Prerequisites

.Procedure
. Click *Clients* in the menu.  
. Select your client.
. Click the *Settings* tab.
. Set the <<_access-type, Access Type>> of your client to *confidential*.
. Toggle *Service Accounts Enabled* to *ON*.
. Click *Save*.
. Configure your <<_client-credentials, client credentials>>.
. Click the *Scope* tab.
. Verify that you have roles or toggle *Full Scope Allowed* to *ON*.
. Click the *Service Account Roles* tab
. Configure the roles available to this service account for your client.

Roles from access tokens are the intersection of:

* Role scope mappings of a client combined with the role scope mappings inherited from linked client scopes.
* Service account roles.

The REST URL to invoke is `/auth/realms/{realm-name}/protocol/openid-connect/token`. This URL must be invoked as a POST request and requires that you post the client credentials with the request. 

By default, client credentials are represented by the clientId and clientSecret of the client in the *Authorization: Basic* header but you can also authenticate the client with a signed JWT assertion or any other custom mechanism for client authentication.

You also need to set the *grant_type* parameter to "client_credentials" as per the OAuth2 specification.

For example, the POST invocation to retrieve a service account can look like this:

[source]
----

    POST /auth/realms/demo/protocol/openid-connect/token
    Authorization: Basic cHJvZHVjdC1zYS1jbGllbnQ6cGFzc3dvcmQ=
    Content-Type: application/x-www-form-urlencoded

    grant_type=client_credentials
----

The response would be similar to this https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.3[Access Token Response] from the OAuth 2.0 specification.

[source]
----

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{
    "access_token":"2YotnFZFEjr1zCsicMWpAA",
    "token_type":"bearer",
    "expires_in":60
}
----

Only the access token is returned by default. No refresh token is returned and no user session is created
on the {project_name} side upon successful authentication by default. Due to the lack of refresh token, re-authentication is required when the access token expires. However, this situation does not mean any additional overhead for the {project_name} server because sessions are not created by default.

In this situation, logout is unnecessary. However, issued access tokens can be revoked by sending requests to the OAuth2 Revocation Endpoint as described in the xref:con-oidc_{context}[OpenID Connect Endpoints] section.

[role="_additional-resources"]
.Additional resources
For more details, see <<_client_credentials_grant,Client Credentials Grant>>.
KEYCLOAK-15771 Updates based on peer editing agreements on clients topics and making corrections to roles and groups chapter. 2020-11-17 20:40:14 +00:00			`[id="proc-using-service-account_{context}"]`
moving content from master to admin-reuse 2020-10-16 09:50:55 +00:00
			`[[_service_accounts]]`
admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`= Using a service account`
rearranges assembly (#34) Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> 2020-10-28 20:25:47 +00:00			`[role="_abstract"]`
INcorporates feedback (#40) 2020-11-13 14:09:23 +00:00			`Each OIDC client has a built-in _service account_. Use this _service account_ to obtain an access token.`
moving content from master to admin-reuse 2020-10-16 09:50:55 +00:00
			`.Prerequisites`

			`.Procedure`
applying indentation using leveloffsets 2020-12-01 23:16:31 +00:00			`. Click Clients in the menu.`
			`. Select your client.`
			`. Click the Settings tab.`
			`. Set the <<_access-type, Access Type>> of your client to confidential.`
			`. Toggle Service Accounts Enabled to ON.`
moving content from master to admin-reuse 2020-10-16 09:50:55 +00:00			`. Click Save.`
			`. Configure your <<_client-credentials, client credentials>>.`
applying indentation using leveloffsets 2020-12-01 23:16:31 +00:00			`. Click the Scope tab.`
			`. Verify that you have roles or toggle Full Scope Allowed to ON.`
			`. Click the Service Account Roles tab`
			`. Configure the roles available to this service account for your client.`
moving content from master to admin-reuse 2020-10-16 09:50:55 +00:00
			`Roles from access tokens are the intersection of:`

			`* Role scope mappings of a client combined with the role scope mappings inherited from linked client scopes.`
			`* Service account roles.`

			The REST URL to invoke is `/auth/realms/{realm-name}/protocol/openid-connect/token`. This URL must be invoked as a POST request and requires that you post the client credentials with the request.

applying bold to clients chapter 2020-11-11 16:00:15 +00:00			`By default, client credentials are represented by the clientId and clientSecret of the client in the Authorization: Basic header but you can also authenticate the client with a signed JWT assertion or any other custom mechanism for client authentication.`
moving content from master to admin-reuse 2020-10-16 09:50:55 +00:00
applying bold to clients chapter 2020-11-11 16:00:15 +00:00			`You also need to set the grant_type parameter to "client_credentials" as per the OAuth2 specification.`
moving content from master to admin-reuse 2020-10-16 09:50:55 +00:00
			`For example, the POST invocation to retrieve a service account can look like this:`

			`[source]`
			`----`

			`POST /auth/realms/demo/protocol/openid-connect/token`
			`Authorization: Basic cHJvZHVjdC1zYS1jbGllbnQ6cGFzc3dvcmQ=`
			`Content-Type: application/x-www-form-urlencoded`

			`grant_type=client_credentials`
			`----`

admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`The response would be similar to this https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.3[Access Token Response] from the OAuth 2.0 specification.`
moving content from master to admin-reuse 2020-10-16 09:50:55 +00:00
			`[source]`
			`----`

			`HTTP/1.1 200 OK`
			`Content-Type: application/json;charset=UTF-8`
			`Cache-Control: no-store`
			`Pragma: no-cache`

			`{`
			`"access_token":"2YotnFZFEjr1zCsicMWpAA",`
			`"token_type":"bearer",`
Adding PR1032 to address account deletion 2020-12-07 22:37:11 +00:00			`"expires_in":60`
moving content from master to admin-reuse 2020-10-16 09:50:55 +00:00			`}`
			`----`

Adding PR1032 to address account deletion 2020-12-07 22:37:11 +00:00			`Only the access token is returned by default. No refresh token is returned and no user session is created`
			`on the {project_name} side upon successful authentication by default. Due to the lack of refresh token, re-authentication is required when the access token expires. However, this situation does not mean any additional overhead for the {project_name} server because sessions are not created by default.`

more duplicate IDs to correct 2020-12-16 22:48:27 +00:00			`In this situation, logout is unnecessary. However, issued access tokens can be revoked by sending requests to the OAuth2 Revocation Endpoint as described in the xref:con-oidc_{context}[OpenID Connect Endpoints] section.`
KEYCLOAK-15771 Updates based on peer editing agreements on clients topics and making corrections to roles and groups chapter. 2020-11-17 20:40:14 +00:00
			`[role="_additional-resources"]`
			`.Additional resources`
			`For more details, see <<_client_credentials_grant,Client Credentials Grant>>.`