keycloak-scim/server_admin/topics/clients/oidc/proc-using-a-service-account.adoc

72 lines
2.5 KiB
Text

[id="proc-using-service-account_{context}"]
[[_service_accounts]]
==== Using a Service Account
[role="_abstract"]
Each OIDC client has a built-in _service account_. Use this _service account_ to obtain an access token.
.Prerequisites
.Procedure
. Select your client in {project_name}.
. Click on the *Settings* tab.
. Set the <<_access-type, Access Type>> of your client is set to *confidential*.
. Toggle *Service Accounts Enabled* to ON.
. Click *Save*.
. Configure your <<_client-credentials, client credentials>>.
. Click on the *Scope* tab.
. Verify that you have roles or toggle *Full Scope Allowed* to ON.
. On the *Service Account Roles* tab, configure the roles available to this service account for your client.
Roles from access tokens are the intersection of:
* Role scope mappings of a client combined with the role scope mappings inherited from linked client scopes.
* Service account roles.
The REST URL to invoke is `/auth/realms/{realm-name}/protocol/openid-connect/token`. This URL must be invoked as a POST request and requires that you post the client credentials with the request.
By default, client credentials are represented by the clientId and clientSecret of the client in the *Authorization: Basic* header but you can also authenticate the client with a signed JWT assertion or any other custom mechanism for client authentication.
You also need to set the *grant_type* parameter to "client_credentials" as per the OAuth2 specification.
For example, the POST invocation to retrieve a service account can look like this:
[source]
----
POST /auth/realms/demo/protocol/openid-connect/token
Authorization: Basic cHJvZHVjdC1zYS1jbGllbnQ6cGFzc3dvcmQ=
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
----
The response would be similar to this https://tools.ietf.org/html/rfc6749#section-4.4.3[Access Token Response] from the OAuth 2.0 specification.
[source]
----
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"bearer",
"expires_in":60,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"refresh_expires_in":600,
"id_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"not-before-policy":0,
"session_state":"234234-234234-234234"
}
----
The retrieved access token can be refreshed or logged out by an out-of-bound request.
[role="_additional-resources"]
.Additional resources
For more details, see <<_client_credentials_grant,Client Credentials Grant>>.