keycloak-scim/server_admin/topics/clients/oidc/service-accounts.adoc

[[_service_accounts]]

==== Service Accounts

Each OIDC client has a built-in _service account_ which allows it to obtain an access token.
This is covered in the OAuth 2.0 specifiation under <<_client_credentials_grant,Client Credentials Grant>>.
To use this feature you must set the <<_access-type, Access Type>> of your client to `confidential`.  When you do this,
the `Service Accounts Enabled` switch is displayed.  You need to toggle this switch to ON.  Also make sure that you have
configured your <<_client-credentials, client credentials>>.

To use it you must have registered a valid `confidential` Client and you need to check the switch `Service Accounts Enabled` in {project_name} admin console for this client.
In tab `Service Account Roles` you can configure the roles available to the service account retrieved on behalf of this client.
Remember that you must have the roles available in Role Scope Mappings (tab `Scope`) of this client as well, unless you
have `Full Scope Allowed` on. As in a normal login, roles from access token are the intersection of:

* Role scope mappings of particular client combined with the role scope mappings inherited from linked client scopes
* Service account roles

The REST URL to invoke on is `{kc_realms_path}/{realm-name}/protocol/openid-connect/token`.
Invoking on this URL is a POST request and requires you to post the client credentials.
By default, client credentials are represented by clientId and clientSecret of the client in `Authorization: Basic` header, but you can also authenticate the client with a signed JWT assertion or any other custom mechanism for client authentication.
You also need to use the parameter `grant_type=client_credentials` as per the OAuth2 specification.

For example the POST invocation to retrieve a service account can look like this:

[source]
----

    POST {kc_realms_path}/demo/protocol/openid-connect/token
    Authorization: Basic cHJvZHVjdC1zYS1jbGllbnQ6cGFzc3dvcmQ=
    Content-Type: application/x-www-form-urlencoded

    grant_type=client_credentials
----
The response would be this https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.3[standard JSON document] from the OAuth 2.0 specification.

[source]
----

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{
    "access_token":"2YotnFZFEjr1zCsicMWpAA",
    "token_type":"bearer",
    "expires_in":60
}
----

There is the only access token returned by default. There is no refresh token returned and there is also no user session created
on the {project_name} side upon successful authentication by default. Due the lack of refresh token, there is a need to re-authenticate when access token expires,
however this does not mean any additional overhead on  {project_name} server side due the fact that sessions are not created by default.

Due to this, there is no need for logout, however issued access tokens can be revoked by sending request to the OAuth2 Revocation Endpoint described
in the <<_oidc-endpoints, OpenID Connect Endpoints>> section.
fixing cross-references, adding and changing attribute id's 2016-06-01 08:49:54 +00:00			`[[_service_accounts]]`
add 2016-04-18 15:15:25 +00:00
KEYCLOAK-8297 Documentation for audience 2018-09-24 08:17:11 +00:00			`==== Service Accounts`
add 2016-04-18 15:15:25 +00:00
Last RHSSO602 updates 2016-12-02 15:59:53 +00:00			`Each OIDC client has a built-in _service account_ which allows it to obtain an access token.`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`This is covered in the OAuth 2.0 specifiation under <<_client_credentials_grant,Client Credentials Grant>>.`
			To use this feature you must set the <<_access-type, Access Type>> of your client to `confidential`. When you do this,
INcorporates feedback (#40) 2020-11-13 14:09:23 +00:00			the `Service Accounts Enabled` switch is displayed. You need to toggle this switch to ON. Also make sure that you have
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`configured your <<_client-credentials, client credentials>>.`
more clients 2016-05-20 20:52:41 +00:00
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			To use it you must have registered a valid `confidential` Client and you need to check the switch `Service Accounts Enabled` in {project_name} admin console for this client.
add 2016-04-18 15:15:25 +00:00			In tab `Service Account Roles` you can configure the roles available to the service account retrieved on behalf of this client.
KEYCLOAK-7075 Client scopes documentation (#389) 2018-06-08 13:39:15 +00:00			Remember that you must have the roles available in Role Scope Mappings (tab `Scope`) of this client as well, unless you
			have `Full Scope Allowed` on. As in a normal login, roles from access token are the intersection of:

			`* Role scope mappings of particular client combined with the role scope mappings inherited from linked client scopes`
			`* Service account roles`
add 2016-04-18 15:15:25 +00:00
Update documentation for Quarkus distribution (#1385) 2022-02-08 13:07:16 +00:00			The REST URL to invoke on is `{kc_realms_path}/{realm-name}/protocol/openid-connect/token`.
add 2016-04-18 15:15:25 +00:00			`Invoking on this URL is a POST request and requires you to post the client credentials.`
Minor changes for Clients chapter. 2016-06-03 13:12:04 +00:00			By default, client credentials are represented by clientId and clientSecret of the client in `Authorization: Basic` header, but you can also authenticate the client with a signed JWT assertion or any other custom mechanism for client authentication.
			You also need to use the parameter `grant_type=client_credentials` as per the OAuth2 specification.
add 2016-04-18 15:15:25 +00:00
RH602 and 642 updates 2016-12-01 22:17:15 +00:00			`For example the POST invocation to retrieve a service account can look like this:`
add 2016-04-18 15:15:25 +00:00
			`[source]`
			`----`

Update documentation for Quarkus distribution (#1385) 2022-02-08 13:07:16 +00:00			`POST {kc_realms_path}/demo/protocol/openid-connect/token`
add 2016-04-18 15:15:25 +00:00			`Authorization: Basic cHJvZHVjdC1zYS1jbGllbnQ6cGFzc3dvcmQ=`
			`Content-Type: application/x-www-form-urlencoded`

			`grant_type=client_credentials`
RH602 and 642 updates 2016-12-01 22:17:15 +00:00			`----`
KEYCLOAK-18301 Fix broken links 2021-05-27 12:29:27 +00:00			`The response would be this https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.3[standard JSON document] from the OAuth 2.0 specification.`
add 2016-04-18 15:15:25 +00:00
			`[source]`
			`----`

			`HTTP/1.1 200 OK`
			`Content-Type: application/json;charset=UTF-8`
			`Cache-Control: no-store`
			`Pragma: no-cache`

			`{`
			`"access_token":"2YotnFZFEjr1zCsicMWpAA",`
			`"token_type":"bearer",`
KEYCLOAK-9551 Client Credentials Grant should not generate refresh token 2020-11-05 16:36:02 +00:00			`"expires_in":60`
add 2016-04-18 15:15:25 +00:00			`}`
RH602 and 642 updates 2016-12-01 22:17:15 +00:00			`----`
add 2016-04-18 15:15:25 +00:00
KEYCLOAK-9551 Client Credentials Grant should not generate refresh token 2020-11-05 16:36:02 +00:00			`There is the only access token returned by default. There is no refresh token returned and there is also no user session created`
			`on the {project_name} side upon successful authentication by default. Due the lack of refresh token, there is a need to re-authenticate when access token expires,`
			`however this does not mean any additional overhead on {project_name} server side due the fact that sessions are not created by default.`

			`Due to this, there is no need for logout, however issued access tokens can be revoked by sending request to the OAuth2 Revocation Endpoint described`
			`in the <<_oidc-endpoints, OpenID Connect Endpoints>> section.`