keycloak-scim/server_admin/topics/clients/oidc/proc-using-a-service-account.adoc

75 lines
2.5 KiB
Text
Raw Normal View History

[id="proc-using-service-account_{context}"]
[[_service_accounts]]
= Using a Service Account
[role="_abstract"]
2020-11-13 14:09:23 +00:00
Each OIDC client has a built-in _service account_. Use this _service account_ to obtain an access token.
.Prerequisites
.Procedure
. Click *Clients* in the menu.
. Select your client.
. Click the *Settings* tab.
. Set the <<_access-type, Access Type>> of your client to *confidential*.
. Toggle *Service Accounts Enabled* to *ON*.
. Click *Save*.
. Configure your <<_client-credentials, client credentials>>.
. Click the *Scope* tab.
. Verify that you have roles or toggle *Full Scope Allowed* to *ON*.
. Click the *Service Account Roles* tab
. Configure the roles available to this service account for your client.
Roles from access tokens are the intersection of:
* Role scope mappings of a client combined with the role scope mappings inherited from linked client scopes.
* Service account roles.
The REST URL to invoke is `/auth/realms/{realm-name}/protocol/openid-connect/token`. This URL must be invoked as a POST request and requires that you post the client credentials with the request.
2020-11-11 16:00:15 +00:00
By default, client credentials are represented by the clientId and clientSecret of the client in the *Authorization: Basic* header but you can also authenticate the client with a signed JWT assertion or any other custom mechanism for client authentication.
2020-11-11 16:00:15 +00:00
You also need to set the *grant_type* parameter to "client_credentials" as per the OAuth2 specification.
For example, the POST invocation to retrieve a service account can look like this:
[source]
----
POST /auth/realms/demo/protocol/openid-connect/token
Authorization: Basic cHJvZHVjdC1zYS1jbGllbnQ6cGFzc3dvcmQ=
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
----
The response would be similar to this https://tools.ietf.org/html/rfc6749#section-4.4.3[Access Token Response] from the OAuth 2.0 specification.
[source]
----
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"bearer",
"expires_in":60,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"refresh_expires_in":600,
"id_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"not-before-policy":0,
"session_state":"234234-234234-234234"
}
----
The retrieved access token can be refreshed or logged out by an out-of-bound request.
[role="_additional-resources"]
.Additional resources
For more details, see <<_client_credentials_grant,Client Credentials Grant>>.