2016-06-01 08:49:54 +00:00
[[_service_accounts]]
2016-04-18 15:15:25 +00:00
2016-05-20 20:52:41 +00:00
=== Service Accounts
2016-04-18 15:15:25 +00:00
2016-12-02 15:59:53 +00:00
Each OIDC client has a built-in _service account_ which allows it to obtain an access token.
2017-08-28 12:50:14 +00:00
This is covered in the OAuth 2.0 specifiation under <<_client_credentials_grant,Client Credentials Grant>>.
To use this feature you must set the <<_access-type, Access Type>> of your client to `confidential`. When you do this,
2016-05-20 20:52:41 +00:00
the `Service Accounts Enabled` switch will appear. You need to turn on this switch. Also make sure that you have
2017-08-28 12:50:14 +00:00
configured your <<_client-credentials, client credentials>>.
2016-05-20 20:52:41 +00:00
2017-08-28 12:50:14 +00:00
To use it you must have registered a valid `confidential` Client and you need to check the switch `Service Accounts Enabled` in {project_name} admin console for this client.
2016-04-18 15:15:25 +00:00
In tab `Service Account Roles` you can configure the roles available to the service account retrieved on behalf of this client.
2016-12-01 22:17:15 +00:00
Don't forget that you need those roles to be available in Scopes of this client as well (unless you have `Full Scope Allowed` on). As in normal login, roles from access token are the intersection of scopes and the service account roles.
2016-04-18 15:15:25 +00:00
2017-09-05 07:49:24 +00:00
The REST URL to invoke on is `/auth/realms/{realm-name}/protocol/openid-connect/token`.
2016-04-18 15:15:25 +00:00
Invoking on this URL is a POST request and requires you to post the client credentials.
2016-06-03 13:12:04 +00:00
By default, client credentials are represented by clientId and clientSecret of the client in `Authorization: Basic` header, but you can also authenticate the client with a signed JWT assertion or any other custom mechanism for client authentication.
You also need to use the parameter `grant_type=client_credentials` as per the OAuth2 specification.
2016-04-18 15:15:25 +00:00
2016-12-01 22:17:15 +00:00
For example the POST invocation to retrieve a service account can look like this:
2016-04-18 15:15:25 +00:00
[source]
----
POST /auth/realms/demo/protocol/openid-connect/token
Authorization: Basic cHJvZHVjdC1zYS1jbGllbnQ6cGFzc3dvcmQ=
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
2016-12-01 22:17:15 +00:00
----
2017-09-05 07:49:24 +00:00
The response would be this https://tools.ietf.org/html/rfc6749#section-4.4.3[standard JSON document] from the OAuth 2.0 specification.
2016-04-18 15:15:25 +00:00
[source]
----
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"bearer",
"expires_in":60,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"refresh_expires_in":600,
"id_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"not-before-policy":0,
"session_state":"234234-234234-234234"
}
2016-12-01 22:17:15 +00:00
----
2016-04-18 15:15:25 +00:00
2016-12-01 22:17:15 +00:00
The retrieved access token can be refreshed or logged out by an out-of-bound request.