24 lines
1.3 KiB
Text
24 lines
1.3 KiB
Text
|
|
=== Retrieving External IDP Tokens
|
|
|
|
{{book.project.name}} allows you to store tokens and responses from the authentication process with the external IDP.
|
|
For that, you can use the `Store Token` configuration option on the IDP's settings page.
|
|
|
|
Application code can retrieve these tokens and responses to pull in extra user information, or to securely invoke requests on the external IDP.
|
|
For example, an application might want to use the Google token to invoke on other Google services and REST APIs.
|
|
To retrieve a token for a particular identity provider you need to send a request as follows:
|
|
|
|
[source,java]
|
|
----
|
|
GET /auth/realms/{realm}/broker/{provider_alias}/token HTTP/1.1
|
|
Host: localhost:8080
|
|
Authorization: Bearer {keycloak_access_token}
|
|
----
|
|
|
|
An application must have authenticated with {{book.project.name}} and have received an access token. This access token
|
|
will need to have the `broker` client-level role `read-token` set. This means that the user must have a role mapping for this role
|
|
and the client application must have that role within its scope.
|
|
In this case, given that you are accessing an protected service in Keycloak, you need to send the access token issued by Keycloak during the user authentication.
|
|
|
|
In the broker configuration page you can automatically assign this role to newly imported users by turning on the `Stored Tokens Readable` switch.
|
|
|