Who knows how to obtain the id_token with Keycloak?
I have been working with Keycloak in Java (Spring, JEE) and postman.
The basics work fine but I need the id_token since there are some claims that they are not present in the access_token but they are present in the id_token.
Using the keycloak-core library I could obtain the Keycloak context, but the id_token attribute always is null.
Some idea?
If you are using keycloak version 3.2.1, then below mail chain will help you. Hi All
I am using below curl command
curl -k https://IP-ADDRESS:8443/auth/realms/Test123/protocol/openid-connect/token -d "grant_type=client_credentials" -d "client_id=SURE_APP" -d "client_secret=ca3c4212-f3e8-43a4-aa14-1011c7601c67"
In the above command's response id_token is missing ,which is require for kong to tell who i am?
In my keycloak realm->client-> Full Scope Allowed ->True
Ok I found it we have to add
scope=openid
then only it will work
realm->client->Service Accounts Enabled ->True. With this I can obtain the id_token in token endpoint –
Dnepropetrovsk I had the same thing with Keycloak 3.4.3 version.
I added scope=openid to my request as Gal Margalit mentioned in his answer and it works.
Here is my request:
curl -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "scope=openid" -d "grant_type=password" -d "client_id=test" -d "[email protected]" -d "password=test" 'https://YOUR-DOMAIN/realms/test123/protocol/openid-connect/token'
In keycloak 2.x the id_token was inside the returned token object.
They removed it in keycloak 3.x.
just add to your request the following:
scope: "openid"
as listed below to retain the id_token
http://lists.jboss.org/pipermail/keycloak-user/2018-February/013170.html
On Keycloak 23.0.4 the auth in the URL has been left out, so for a client it is now i.e.:
curl -k https://IP-ADDRESS:8443/realms/Test123/protocol/openid-connect/token -d "grant_type=client_credentials" -d "client_id=SURE_APP" -d "client_secret=ca3c4212-f3e8-43a4-aa14-1011c7601c67" -d "scope=openid"
To get the id_token for a user, the user credentials have to be added and the grant_type has to be changed to password, i.e.:
curl -k https://IP-ADDRESS:8443/realms/Test123/protocol/openid-connect/token -d "grant_type=password" -d "client_id=SURE_APP" -d "client_secret=ca3c4212-f3e8-43a4-aa14-1011c7601c67" -d "scope=openid" -d "username=jdoe" -d "password=jdoe"
Correction: the way described above and which was also mentioned by previous contributors, still gives you the access_token, NOT the id_token. It contains user information, yes, but is still not the "real thing". Studying the openid specification (https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) I found out that a way to get the id_token would be to specify the response_type (=grant_type) "id_token", but this, according to the error message received, is not supported by Keycloak. So the only way I found is to go via the code flow: first ask for the code (grant_type=authorization_code) and then by asking for the token you will not only get the access_token but also the id_token, which doesn't contain all the authority-related claims.
© 2022 - 2024 — McMap. All rights reserved.
I have been working with Keycloak in Java (Spring, JEE) and postman.@Pablo which Keycloak Adapter are you using? Did you take a look at official documentation regarding Security Context ? – Commune/tokenresponse. – Dnepropetrovskid_tokenis used to sensitive information and that is the requirement that I have now. – Dnepropetrovsk