[id="proc-using-service-account_{context}"] [[_service_accounts]] ==== Using a Service Account [role="_abstract"] Each OIDC client has a built-in _service account_. Use this _service account_ to obtain an access token. .Prerequisites .Procedure . Select your client in {project_name}. . Click on the *Settings* tab. . Set the <<_access-type, Access Type>> of your client is set to *confidential*. . Toggle *Service Accounts Enabled* to ON. . Click *Save*. . Configure your <<_client-credentials, client credentials>>. . Click on the *Scope* tab. . Verify that you have roles or toggle *Full Scope Allowed* to ON. . On the *Service Account Roles* tab, configure the roles available to this service account for your client. Roles from access tokens are the intersection of: * Role scope mappings of a client combined with the role scope mappings inherited from linked client scopes. * Service account roles. The REST URL to invoke is `/auth/realms/{realm-name}/protocol/openid-connect/token`. This URL must be invoked as a POST request and requires that you post the client credentials with the request. By default, client credentials are represented by the clientId and clientSecret of the client in the *Authorization: Basic* header but you can also authenticate the client with a signed JWT assertion or any other custom mechanism for client authentication. You also need to set the *grant_type* parameter to "client_credentials" as per the OAuth2 specification. For example, the POST invocation to retrieve a service account can look like this: [source] ---- POST /auth/realms/demo/protocol/openid-connect/token Authorization: Basic cHJvZHVjdC1zYS1jbGllbnQ6cGFzc3dvcmQ= Content-Type: application/x-www-form-urlencoded grant_type=client_credentials ---- The response would be similar to this https://tools.ietf.org/html/rfc6749#section-4.4.3[Access Token Response] from the OAuth 2.0 specification. [source] ---- HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"bearer", "expires_in":60, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "refresh_expires_in":600, "id_token":"tGzv3JOkF0XG5Qx2TlKWIA", "not-before-policy":0, "session_state":"234234-234234-234234" } ---- The retrieved access token can be refreshed or logged out by an out-of-bound request. [role="_additional-resources"] .Additional resources For more details, see <<_client_credentials_grant,Client Credentials Grant>>.