keycloak-scim/topics/clients/oidc/service-accounts.adoc

[[_service-accounts]]

=== Service Accounts

Each OIDC client has a built in _service account_ which allows them to obtain an access token.
This is covered in the OAuth 2.0 specifiation under <<fake/../../../sso-protocols/oidc.adoc#_oidc-auth-flows,Client Credentials Grant>>
To use this feature you must set the <<fake/../../../clients/client-oidc.adoc#_access-type, Access Type>> of your client to `confidential`.  When you do this,
the `Service Accounts Enabled` switch will appear.  You need to turn on this switch.  Also make sure that you have
configured your <<fake/../../../clients/oidc/confidential.adoc#_client-credentials, client credentials>>.

To use it you must have registered a valid `confidential` Client and you need to check the switch `Service Accounts Enabled` in Keycloak admin console for this client.
In tab `Service Account Roles` you can configure the roles available to the service account retrieved on behalf of this client.
Don't forget that you need those roles to be available in Scopes of this client as well (unless you have `Full Scope Allowed` on). As in normal login, roles from access token are intersection of scopes and the service account roles. 

The REST URL to invoke on is `/\{server-root-usualy-auth}/realms/\{realm-name}/protocol/openid-connect/token`.
Invoking on this URL is a POST request and requires you to post the client credentials.
By default, client credentials are represented by clientId and clientSecret of the client in `Authorization: Basic` header, but you can also authenticate client with signed JWT assertion or any other custom mechanism for client authentication.
You also need to use parameter `grant_type=client_credentials` as per OAuth2 specification.

For example the POST invocation to retrieve service account can look like this: 

[source]
----

    POST /auth/realms/demo/protocol/openid-connect/token
    Authorization: Basic cHJvZHVjdC1zYS1jbGllbnQ6cGFzc3dvcmQ=
    Content-Type: application/x-www-form-urlencoded

    grant_type=client_credentials
----        
The response would be this http://tools.ietf.org/html/rfc6749#section-4.4.3[standard JSON document] from the OAuth 2.0 specification. 

[source]
----

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{
    "access_token":"2YotnFZFEjr1zCsicMWpAA",
    "token_type":"bearer",
    "expires_in":60,
    "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
    "refresh_expires_in":600,
    "id_token":"tGzv3JOkF0XG5Qx2TlKWIA",
    "not-before-policy":0,
    "session_state":"234234-234234-234234"
}
----    

The retrieved access token can be refreshed or logged out by out-of-bound request.
more clients 2016-05-20 20:52:41 +00:00			`[[_service-accounts]]`
add 2016-04-18 15:15:25 +00:00
more clients 2016-05-20 20:52:41 +00:00			`=== Service Accounts`
add 2016-04-18 15:15:25 +00:00
more clients 2016-05-20 20:52:41 +00:00			`Each OIDC client has a built in _service account_ which allows them to obtain an access token.`
more clients 2016-05-20 21:16:45 +00:00			`This is covered in the OAuth 2.0 specifiation under <<fake/../../../sso-protocols/oidc.adoc#_oidc-auth-flows,Client Credentials Grant>>`
			To use this feature you must set the <<fake/../../../clients/client-oidc.adoc#_access-type, Access Type>> of your client to `confidential`. When you do this,
more clients 2016-05-20 20:52:41 +00:00			the `Service Accounts Enabled` switch will appear. You need to turn on this switch. Also make sure that you have
more clients 2016-05-20 21:16:45 +00:00			`configured your <<fake/../../../clients/oidc/confidential.adoc#_client-credentials, client credentials>>.`
more clients 2016-05-20 20:52:41 +00:00
			To use it you must have registered a valid `confidential` Client and you need to check the switch `Service Accounts Enabled` in Keycloak admin console for this client.
add 2016-04-18 15:15:25 +00:00			In tab `Service Account Roles` you can configure the roles available to the service account retrieved on behalf of this client.
			Don't forget that you need those roles to be available in Scopes of this client as well (unless you have `Full Scope Allowed` on). As in normal login, roles from access token are intersection of scopes and the service account roles.

more clients 2016-05-20 20:52:41 +00:00			The REST URL to invoke on is `/\{server-root-usualy-auth}/realms/\{realm-name}/protocol/openid-connect/token`.
add 2016-04-18 15:15:25 +00:00			`Invoking on this URL is a POST request and requires you to post the client credentials.`
			By default, client credentials are represented by clientId and clientSecret of the client in `Authorization: Basic` header, but you can also authenticate client with signed JWT assertion or any other custom mechanism for client authentication.
more clients 2016-05-20 20:52:41 +00:00			You also need to use parameter `grant_type=client_credentials` as per OAuth2 specification.
add 2016-04-18 15:15:25 +00:00
			`For example the POST invocation to retrieve service account can look like this:`

			`[source]`
			`----`

			`POST /auth/realms/demo/protocol/openid-connect/token`
			`Authorization: Basic cHJvZHVjdC1zYS1jbGllbnQ6cGFzc3dvcmQ=`
			`Content-Type: application/x-www-form-urlencoded`

			`grant_type=client_credentials`
			`----`
			`The response would be this http://tools.ietf.org/html/rfc6749#section-4.4.3[standard JSON document] from the OAuth 2.0 specification.`

			`[source]`
			`----`

			`HTTP/1.1 200 OK`
			`Content-Type: application/json;charset=UTF-8`
			`Cache-Control: no-store`
			`Pragma: no-cache`

			`{`
			`"access_token":"2YotnFZFEjr1zCsicMWpAA",`
			`"token_type":"bearer",`
			`"expires_in":60,`
			`"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",`
			`"refresh_expires_in":600,`
			`"id_token":"tGzv3JOkF0XG5Qx2TlKWIA",`
			`"not-before-policy":0,`
			`"session_state":"234234-234234-234234"`
			`}`
			`----`

			`The retrieved access token can be refreshed or logged out by out-of-bound request.`