Refresh access_token via refresh_token in Keycloak

Asked 17/7, 2018 at 16:33 Answered 10/2, 2022 at 13:39

I need to make the user keep login in the system if the user's access_token get expired and user want to keep login. How can I get newly updated access_token with the use of refresh_token on Keycloak?

I am using vertx-auth for the auth implementation with Keycloak on vert.x. Is it possible to refresh access_token with vertx-auth or Keycloak's REST API itself? Or what will be another implementation of this?

Havener answered 17/7, 2018 at 16:33 Comment(0)

167

keycloak has REST API for creating an access_token using refresh_token. It is a POST endpoint with application/x-www-form-urlencoded

Here is how it looks:

Method: POST
URL: https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/token
Body type: x-www-form-urlencoded
Form fields:    
client_id : <my-client-name>
grant_type : refresh_token
refresh_token: <my-refresh-token>

This will give you new access token using refresh token.

NOTE: if your refresh token is expired it will throw 400 exception in that you can make user login again.

Check out a sample in Postman, you can develop and corresponding API using this.

Heywood answered 17/7, 2018 at 17:40 Comment(11)

I tried this with 2.5.4 and it still requires the client secret for this request. It makes now sense though as to why the client secret will be required if the refresh token is being provided. – Undermanned 13/12, 2018 at 6:42

The client secret is required only if it is a confidential client. Public clients do not require the client secret. – Undermanned 13/12, 2018 at 8:45

Can someone explain why the client secret is required when refreshing a token for a confidential client? – Devanagari 21/12, 2018 at 8:42

@all ,Why refresh token is jwt format? stateless but google and auth0 use stateful. – Hartsock 12/9, 2019 at 10:51

@Devanagari confidential client in Keycloak is meant to server applications, where storing a client secret is secure. Take a look on the docs (here)[keycloak.org/docs/6.0/server_admin/#oidc-clients] – Eiderdown 20/8, 2020 at 20:9

Hi all, I know it's old but I want to ask a bit. I use login phase to get the init token with aud=app1 for example. But when the token is expired, I tried and to refresh the token by calling http://{uri}/realms/{my_realm}/protocol/openid-connect/token, and the result I get the token with different aud, like aud=app2. So how can It be and how can I change app2 to app1, thanks! – Wynn 11/1, 2021 at 10:24

@BasselKh so client secret is not needed? If so may I ask your client configuration? Thanks – Bilateral 17/8, 2021 at 13:48

@Bilateral : grant_type: refresh_token , client_id: your client id , refresh_token: the original refresh token – Puritanism 17/8, 2021 at 16:17

It seems this request also returns a new refresh token. Is this correct? If we want to renew an access token, the refresh token should be refreshed as well? Or the correct flow will be: use access tokens -> if access token expires: use refresh token to get new access token -> if refresh token expires: login and get new refresh and access token. By always creating a new refresh token, it seems that logout could never hapen. – Convention 17/12, 2021 at 12:24

Please add client_secret to the body – Topeka 28/12, 2022 at 8:24

Below article was also helpful for me -> developers.redhat.com/blog/2020/11/24/… – Coleen 18/12, 2023 at 13:40

@maslick is correct you have to supply the client secret too, no need for authorization header in this case:

http://localhost:8080/auth/realms/{realm}/protocol/openid-connect/token

In case of expired refresh token it returns:

If you don't add the secret you get 401 unauthorized even though the refresh token is correct

Threemaster answered 3/7, 2021 at 11:56 Comment(1)

I have just tested it, you only need the client secret if the client that issued the token is confidential – Bilateral 19/8, 2021 at 0:35

Extending Yogendra Mishra's answer. Note that client_id and client_secret can also be sent in Authorization header.

Authorization: Basic ${Base64(<client_id>:<client_secret>)}

This works for both initial token call (without refresh token) and refresh token call to /openid-connect/token endpoint

Basic auth1

Reference: https://developer.okta.com/docs/reference/api/oidc/#client-secret

Azerbaijani answered 10/2, 2022 at 13:39 Comment(0)

I tried with 4.8.2.Final, it gives following unauthorized_client even with previous access token as 'Bearer'. Then I tried with Basic YXBwLXByb3h5OnNlY3JldA== in Authorization header. Then it worked, But still I'm not sure that I am doing right thing.

Baer answered 28/1, 2019 at 5:38 Comment(3)

For the Authorization headers it all comes down to what the server is looking for in the header value. If this works then you're probably not incorrect. – Kab 28/1, 2019 at 5:45

You're probably using a confidential client, so you need to include client_secret in the request – Milkman 8/2, 2019 at 15:12

why would anyone want to use refresh token if I have to pass client_secret for confidential client? IMO, Keycloak should return access_token just by passing client_id and refresh_token since it acts like a secret. – Compote 20/5, 2020 at 13:30

Recommended topics

Hot tags