Pre-requisite
- Keycloak 19^1
Creating a New Client and User
-
Sign in to keycloak admin console using the following address:
Must know a valid credential.
-
Switch or create a realm that is NOT a master realm (i.e. leave the master realms for keycloak usage only), like the following (i.e. jwtrealm):
-
Create a new client as follows:
-
Ensure that OpenID Connect is the Client type.
-
Provide a Client ID (e.g. jwtclient).
-
Click the Next button.
-
Enable the Client authentication.
-
In the Authentication flow, unselect the standard flow.
-
Click the Save button.
-
-
Create a new user as follows:
-
Fill-in the username field (e.g. testuser).
-
Click the Create button.
-
Click the Credentials tab.
-
Click the Set password button.
-
Fill-in the Password field.
-
Fill-in the Password confirmation field.
-
Turn-off temporary.
-
Click the Save button.
-
Click the Save password button.
-
Using Postman for Testing
-
Create a post request to the following address format:
http://localhost:8080/realms/<TARGET_REALM>/protocol/openid-connect/token
Example
Using the jwtrealm as the TARGET_REALM (i.e. configured in the previous section).
http://localhost:8080/realms/jwtrealm/protocol/openid-connect/token
-
Click the Body tab.
-
Select x-www-form-url-encoded.
-
Add the following entries:
Key Value Comment client_id jwtclient This is the client configured earlier. grant_type password This is for direct access grant type. client_secret <Client secret> This can be found in the jwtclient (i.e. configured earlier) client credentials tab. scope openid The openid scope is required; to indicate that the application intends to use OIDC to verify the user's identity. username testuser This is the user configured earlier. password <password> This is the password for the user that is configured earlier. -
Click the Send button.
Success Output
The success output is in the following format.
{
"access_token": "The access token.",
"expires_in": "Access token expiration.",
"refresh_expires_in": "Refresh token expiration",
"refresh_token": "The refresh token.",
"token_type": "Bearer",
"id_token": "The ID token.",
"not-before-policy": 0,
"session_state": "The session state.",
"scope": "openid profile email"
}
You paste the encoded token to the following website to decode its content:
Invalid Credential Output
{
"error": "invalid_grant",
"error_description": "Invalid user credentials"
}
Related Post
THE RESOURCE OWNER PASSWORD CREDENTIAL (ROPC) GRANT TYPE
Leave a Reply