keycloak-scim/server_admin/topics/clients/oidc/proc-using-a-service-account.adoc


[[_service_accounts]]
==== Using a Service Account
[role="_abstract"]
Each OIDC client has a built-in _service account_, which allows it to obtain an access token.

.Prerequisites

.Procedure
. Select your client in {project_name}.
. Click on the `Settings` tab.
. Set the <<_access-type, Access Type>> of your client is set to `confidential`.
. Set the `Service Accounts Enabled` switch to ON.
. Click *Save*.
. Configure your <<_client-credentials, client credentials>>.
. Click on the `Scope` tab.
. Verify that you have roles or set Full Scope Allowed to ON.
. On the `Service Account Roles` tab, configure the roles available to this service account for your client.

Roles from access tokens are the intersection of:

* Role scope mappings of a client combined with the role scope mappings inherited from linked client scopes.
* Service account roles.

The REST URL to invoke is `/auth/realms/{realm-name}/protocol/openid-connect/token`. This URL must be invoked as a POST request and requires that you post the client credentials with the request. 

By default, client credentials are represented by the clientId and clientSecret of the client in the `Authorization: Basic` header but you can also authenticate the client with a signed JWT assertion or any other custom mechanism for client authentication.

You also need to set the `grant_type` parameter to "client_credentials" as per the OAuth2 specification.

For example, the POST invocation to retrieve a service account can look like this:

[source]
----

    POST /auth/realms/demo/protocol/openid-connect/token
    Authorization: Basic cHJvZHVjdC1zYS1jbGllbnQ6cGFzc3dvcmQ=
    Content-Type: application/x-www-form-urlencoded

    grant_type=client_credentials
----

The response would be similar to this https://tools.ietf.org/html/rfc6749#section-4.4.3[Access Token Response] from the OAuth 2.0 specification.

[source]
----

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{
    "access_token":"2YotnFZFEjr1zCsicMWpAA",
    "token_type":"bearer",
    "expires_in":60,
    "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
    "refresh_expires_in":600,
    "id_token":"tGzv3JOkF0XG5Qx2TlKWIA",
    "not-before-policy":0,
    "session_state":"234234-234234-234234"
}
----

The retrieved access token can be refreshed or logged out by an out-of-bound request.
moving content from master to admin-reuse 2020-10-16 09:50:55 +00:00
			`[[_service_accounts]]`
			`==== Using a Service Account`
rearranges assembly (#34) Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> 2020-10-28 20:25:47 +00:00			`[role="_abstract"]`
moving content from master to admin-reuse 2020-10-16 09:50:55 +00:00			`Each OIDC client has a built-in _service account_, which allows it to obtain an access token.`

			`.Prerequisites`

			`.Procedure`
			`. Select your client in {project_name}.`
			. Click on the `Settings` tab.
			. Set the <<_access-type, Access Type>> of your client is set to `confidential`.
			. Set the `Service Accounts Enabled` switch to ON.
			`. Click Save.`
			`. Configure your <<_client-credentials, client credentials>>.`
			. Click on the `Scope` tab.
			`. Verify that you have roles or set Full Scope Allowed to ON.`
			. On the `Service Account Roles` tab, configure the roles available to this service account for your client.

			`Roles from access tokens are the intersection of:`

			`* Role scope mappings of a client combined with the role scope mappings inherited from linked client scopes.`
			`* Service account roles.`

			The REST URL to invoke is `/auth/realms/{realm-name}/protocol/openid-connect/token`. This URL must be invoked as a POST request and requires that you post the client credentials with the request.

			By default, client credentials are represented by the clientId and clientSecret of the client in the `Authorization: Basic` header but you can also authenticate the client with a signed JWT assertion or any other custom mechanism for client authentication.

			You also need to set the `grant_type` parameter to "client_credentials" as per the OAuth2 specification.

			`For example, the POST invocation to retrieve a service account can look like this:`

			`[source]`
			`----`

			`POST /auth/realms/demo/protocol/openid-connect/token`
			`Authorization: Basic cHJvZHVjdC1zYS1jbGllbnQ6cGFzc3dvcmQ=`
			`Content-Type: application/x-www-form-urlencoded`

			`grant_type=client_credentials`
			`----`

			`The response would be similar to this https://tools.ietf.org/html/rfc6749#section-4.4.3[Access Token Response] from the OAuth 2.0 specification.`

			`[source]`
			`----`

			`HTTP/1.1 200 OK`
			`Content-Type: application/json;charset=UTF-8`
			`Cache-Control: no-store`
			`Pragma: no-cache`

			`{`
			`"access_token":"2YotnFZFEjr1zCsicMWpAA",`
			`"token_type":"bearer",`
			`"expires_in":60,`
			`"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",`
			`"refresh_expires_in":600,`
			`"id_token":"tGzv3JOkF0XG5Qx2TlKWIA",`
			`"not-before-policy":0,`
			`"session_state":"234234-234234-234234"`
			`}`
			`----`

			`The retrieved access token can be refreshed or logged out by an out-of-bound request.`