Keycloak essential endpoint

Keycloak is one of great identity server that exist. It's opensource, and free also, by the way if you need professional support you can achieve that from Redhat.
In the Microservice paradigm, we split each business into a service, and one of important business is user management. Keycloack handle it for your system and also help your service to be secure.
Now I want share some common endpoint of Keycloak, to make your job easier.
There is common endpoint that Keckoak has:

  • Login

    • 
curl --location --request POST '{KEYCLOAK_ADDRESS}/realms/{REALM_NAME}/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username={USERNAME}' \
--data-urlencode 'password={PASSWORD}' \
--data-urlencode 'client_id={CLIENT_ID}' \
--data-urlencode 'scope=openid profile email'

  • Logout

    • 
curl --location --request POST '{KEYCLOAK_ADDRESS}/realms/{REALM_NAME}/protocol/openid-connect/logout' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id={CLIENT_ID}' \
--data-urlencode 'refresh_token={REFRESH_TOKEN}'

  • Refresh token

    • 
curl --location --request POST '{KEYCLOAK_ADDRESS}/realms/{REALM_NAME}/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=refresh_token'\
--data-urlencode 'client_id={CLIENT_ID}' \
--data-urlencode 'refresh_token={REFRESH_TOKEN}' \
--data-urlencode 'scope=openid profile email'

  • User info

    • 
curl --location --request GET '{KEYCLOAK_ADDRESS}/realms/{REALM_NAME}/protocol/openid-connect/userinfo' \
--header 'Authorization: Bearer {ACCESS_TOKEN}' 

  • Token introspect

    • 
curl --location '{KEYCLOAK_ADDRESS}/realms/{REALM_NAME}/protocol/openid-connect/token/introspect' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token_type_hint=requesting_party_token' \
--data-urlencode 'client_secret={CLIENT_SECRET}' \
--data-urlencode 'client_id={CLIENT_ID}' \
--data-urlencode 'token={ACCESS_TOKEN}' 
Vocabularies (they are in braces {}):
  • KEYCLOAK_ADDRESS: Keycloak host address or ip include port (not default ports 80 and 443) e.g. https://sso.example.com or http://localhost:8080
  • REALM_NAME: Name of the realm that you want to verify user & password
  • USERNAME: User username
  • PASSWORD: User Password
  • CLIENT_ID: The client ID that provided by Keycloak admin for you application
  • CLIENT_SECRET: The client secret that provided by Keycloak admin for you application
  • ACCESS_TOKEN: Token that generated by Keycloak after successful login
  • REFRESH_TOKEN: Token that generated by Keycloak after successful login
    • After login, you get a JSON object  like this that include ACCESS_TOKEN and REFRESH_TOKEN:
      
{
    "access_token": "",
    "expires_in": 1800,
    "refresh_expires_in": 1800,
    "refresh_token": "",
    "token_type": "bearer",
    "id_token": "",
    "not-before-policy": 1586858187,
    "session_state": "d198beba-1a53-4626-b7c8-43fba872b6c5",
    "scope": "openid profile email"
}

at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)