首页 > 其他分享 >Keycloak: Requesting Token with Password Grant

Keycloak: Requesting Token with Password Grant

时间:2023-05-08 23:44:53浏览次数:59  
标签:Grant -- request token Requesting Token password Keycloak

Keycloak: Requesting Token with Password Grant

https://www.appsdeveloperblog.com/keycloak-requesting-token-with-password-grant/

In this tutorial, you will learn how to use a Password Grant OAuth 2 authorization flow to request an Access Token and a Refresh token from the Keycloak server by sending HTTP Post request to a /token web service endpoint.

 

The Password Grant flow should only be used if your application does not support redirects. Otherwise, if your application is a Web application or a mobile application and does support redirects, it is recommended to use an Authorization Code grant flow. If your application is a secure mobile application and a user has an absolute trust for this mobile application and is ready to provide it with their username and password, then a Password Grant flow can be used. Although, the latest OAuth 2.0 Security Best Current Practice disallows the password grant entirely.

 

The password grant can also be useful when you need to migrate existing clients by converting their stored credentials to an OAuth access token.

I assume that you already have a Keycloak server running and a user created. Otherwise, please follow these two tutorials first:

 

Getting Access Token with Password Grant Type

The following HTTP Post request can be used to request an access token and a refresh token using user’s(Resource Owner) password credentials. Before sending this request make sure the Keycloak server is running and the user’s credentials are correct.

curl --location --request POST 'http://localhost:8080/auth/realms/appsdeveloperblog/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'password=USER-PASSWORD' \
--data-urlencode 'username=USER-NAME' \
--data-urlencode 'client_id=photo-app-client' \
--data-urlencode 'grant_type=password'

Where:

 

  • localhost:8080 – is a host and a port number on which the Keycloak server is running,
  • appsdeveloperblog – is a Keycloak Realm,
  • photo-app-client – is an OAuth client registered with Keycloak authorization server,
  • The USER-PASSWORD and the USER-NAME – are the Resource Owner(user) login credentials,
  • password –  is a password grant.  The Grant Type is a way to exchange a user’s credentials for an access token.

In case of a successful request, you should see a similar JSON in a Response Body:

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICItNUlsX2I0cUktdWFvaEI3d244UHY3WEM2UEktU3BNbmZCRnlJZUx6QTJNIn0.eyJleHAiOjE1OTIyNDg2OTAsImlhdCI6MTU5MjI0ODM5MCwianRpIjoiNTBmZmE5OGYtYjBmMS00MmY1LTljMjEtOTM3MDlkMTE3YjNiIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL2FwcHNkZXZlbG9wZXJibG9nIiwiYXVkIjpbInJlYWxtLW1hbmFnZW1lbnQiLCJhY2NvdW50Il0sInN1YiI6IjFkZGUzZmMzLWM2ZGItNDlmYi05YjNkLTc5NjRjNWMwNjg3YSIsInR5cCI6IkJlYXJlciIsImF6cCI6InBob3RvLWFwcC1jbGllbnQiLCJzZXNzaW9uX3N0YXRlIjoiNmYxOGNlZjUtZTI5OS00ZWMyLTgwMjAtODhkMmQ5N2EzZDNiIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJVc2VyIiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7InJlYWxtLW1hbmFnZW1lbnQiOnsicm9sZXMiOlsidmlldy1yZWFsbSIsInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwibWFuYWdlLWlkZW50aXR5LXByb3ZpZGVycyIsImltcGVyc29uYXRpb24iLCJyZWFsbS1hZG1pbiIsImNyZWF0ZS1jbGllbnQiLCJtYW5hZ2UtdXNlcnMiLCJxdWVyeS1yZWFsbXMiLCJ2aWV3LWF1dGhvcml6YXRpb24iLCJxdWVyeS1jbGllbnRzIiwicXVlcnktdXNlcnMiLCJtYW5hZ2UtZXZlbnRzIiwibWFuYWdlLXJlYWxtIiwidmlldy1ldmVudHMiLCJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwibWFuYWdlLWF1dGhvcml6YXRpb24iLCJtYW5hZ2UtY2xpZW50cyIsInF1ZXJ5LWdyb3VwcyJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJnZXkifQ.gauVxQ-xKBQO51JdgrUnTSjZt6pKiN1pYzWEmNYXH45pj4sFSt9249mOn6J9X6OpJxkl5H5o2b2PPX9X7ZnLYz4i-mXHuYpNhVlmpbee2xH8i3_RmjcBSJebyjs11T8QrAj41mADNYZXLi_mW7Uu7ecSrUiBHoioaMBJnX7CUPN67Q1ctviCkNqbkrPsZyYFaky0en-smBGMMVmLaIS6xksBnxAZBLcalw4IkU7YVFynT-qGUhwGiGrkcTZwSLCowCZcBK3mAH_otdNqiTlGcGgAdqn0ea092WS0EdzR2bAMddCXM7FsD_HzooouxdvPgMuoxaHPp9rClh7dlX7fNw",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlYWQyMDZmOS05MzczLTQ1OTAtOGQ4OC03YWNkYmZjYTU5MmMifQ.eyJleHAiOjE1OTIyNTAxOTAsImlhdCI6MTU5MjI0ODM5MCwianRpIjoiNzJlNTI1YmMtNDIwMy00MDhiLThhYzAtYzk2ZGNiYTFhOTI2IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL2FwcHNkZXZlbG9wZXJibG9nIiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL2FwcHNkZXZlbG9wZXJibG9nIiwic3ViIjoiMWRkZTNmYzMtYzZkYi00OWZiLTliM2QtNzk2NGM1YzA2ODdhIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InBob3RvLWFwcC1jbGllbnQiLCJzZXNzaW9uX3N0YXRlIjoiNmYxOGNlZjUtZTI5OS00ZWMyLTgwMjAtODhkMmQ5N2EzZDNiIiwic2NvcGUiOiJlbWFpbCBwcm9maWxlIn0.c5JZg9Y-a1etKmF3uRcnbKKIeAIDe72cz1tPe5IzpRo",
    "token_type": "bearer",
    "not-before-policy": 0,
    "session_state": "6f18cef5-e299-4ec2-8020-88d2d97a3d3b",
    "scope": "email profile"
}

You might have noticed that, although the above request does not specify a scope request parameter, the response JSON document does contain two scope values returned: “email” and “profile”. These are just the Default Client Scopes registered with at the authorization server. Your OAuth client might have different scopes configured.

I hope this short tutorial was helpful to you. Have a look at other tutorials about OAuth and the Keycloak authorization server on this web site. You might find more interesting tutorials to read.

 

 

fastapi_keycloak_integration -- 完整演示

https://github.com/fanqingsong/fastapi_keycloak_integration

https://github.com/hkiang01/fastapi-keycloak-oidc-auth

 

标签:Grant,--,request,token,Requesting,Token,password,Keycloak
From: https://www.cnblogs.com/lightsong/p/17383533.html

相关文章

  • Keycloak: Authorization Code Grant Example
    Keycloak:AuthorizationCodeGrantExamplehttps://www.appsdeveloperblog.com/keycloak-authorization-code-grant-example/ 适合web应用 Inthistutorial,youwilllearnhowtogetanaccesstokenfromtheKeycloakauthorizationserverusingtheOAuthAuthor......
  • 获取.Net程序集的PublicKeyToken
    C:\ProgramData\Microsoft\Windows\StartMenu\Programs\VisualStudio2022\VisualStudioToolsSN-TC:\Users\97627\.nuget\packages\system.data.sqlclient\4.8.5\ref\netcoreapp2.1\System.Data.SqlClient.dll#SN-TYou.dll   ......
  • Create many vagrant servers in a time
    #https://github.com/r-trigo/postgres-repmgr-vagrantVagrant.configure("2")do|config|(1..2).eachdo|n|config.vm.define"node#{n}"do|define|define.ssh.insert_key=falsedefine.vm.box="generic/centos7&quo......
  • tiktoken计算chatgpt-token
    强迫症表示必须要看到token数量,所以自己用GPT写一个玩importtkinterastkimportpyperclipimporttiktokenclassTokenCounter:def__init__(self):#GUISetupself.root=tk.Tk()self.root.geometry("300x200")self.root.tit......
  • NLP 中 Embedding(词嵌入) 和 Tokenizer(分词器) 分别是什么?
    NLP中Embedding(词嵌入)和Tokenizer(分词器)分别是什么?Embedding(词嵌入)和Tokenizer(分词器)是在自然语言处理中常用的两种技术,用于将文本转换为计算机可以处理的数字表示。Tokenizer(分词器)是将文本转换为单词或子词序列的过程。在自然语言处理中,文本通常是由一系列单词或子词组......
  • 微信公众平台开发——如何保证access_token长期有效?
    【编者按】由CSDN和《程序员》杂志联合主办的 2014年微信开发者大会将于8月23日在北京举行。内容涵盖企业服务号开发和高级应用、企业号开发、业务系统对接、高级接口运用、微信支付、智能客服与LBS、HTML5社交应用、微信电商、微信广告自助平台等多方面。作为一线微信开发商云......
  • npm命令报错:error Unexpected token '.'; error A complete log of this run can be fo
    如果你的npm报错是这样的errorUnexpectedtoken'.'errorAcompletelogofthisruncanbefoundin:并且你你尝试过了网上各种方法不得行。那么会不会是管控版本vnm的问题呢?弄了一早上不得行;最后尝试了下nvm版本。得出结论:nvm1.1.7这个版本有问题。请升级到nvm1.1.10......
  • 解决上传md文件时出现的“<Fault 401: '请配置正确的用户名与访问令牌(access token),
    使用的工具:pycnbolg下载地址:https://github.com/dongfanger/pycnblog具体操作按这位大神的博客:如何在博客园上传markdown文件-NotYourferry-博客园(cnblogs.com)出现报错如图:偶然看到这两位的评论:于是我将config.yaml中的password改成了我的令牌,就上传成功了。......
  • 手拿把掐session、token、cookie
    发展以前的web很单一,就是用来浏览文档,服务器也不需要记住谁在某个时间段浏览了什么文档,每一次请求都是一个新的http协议,就是请求加响应,不需要记住是谁发了http请求。随着交互式web的兴起,比如需要登录的网站、在线购物等等,就面临了一个问题,就是要管理会话,必须要记住哪些人登录系......
  • 从0开始构建一个Oauth2Server服务 <19> Token 编解码
    Token编解码令牌提供了一种通过在令牌字符串本身中编码所有必要信息来避免将令牌存储在数据库中的方法。这样做的主要好处是API服务器能够验证访问令牌,而无需对每个API请求进行数据库查找,从而使API更容易扩展。OAuth2.0BearerTokens的好处是应用程序不需要知道您决定如......