Reputation: 5612
How can I force Keycloak to use an Authorization header when connecting to an identity provider's token endpoint?
I've configured Keycloak as an identity broker, connecting to a custom OIDC provider that I've created. During the authorization_code flow, Keycloak calls the authorization endpoint to get the code. It then calls the token endpoint of my custom OIDC provider to exchange the code for an auth token.
I observe that Keycloak passes the client_id and client_secret as parameters in the request body, instead of as a Basic Authorization header. I do not want to change the security configuration on my token endpoint. Is there a way to cause Keycloak to send token requests to IdPs using the Auth header?
Relevant Keycloak code appears to be in AbstractOAuth2IdentityProvider's generateTokenRequest method. This hard-codes the client-id and client-secret to be passed as params in the request body.
According to the OIDC specification, client_secret_basic is the default. I'd be surprised if this is not supported by Keycloak; I just can't seem to figure out how to configure it.
Upvotes: 3
Views: 4186
Answers (1)
Reputation: 28626
Unfortunately, this feature is not implemented.
Feature request: https://issues.jboss.org/browse/KEYCLOAK-5956
Upvotes: 1
Related Questions
- Keycloak - Retrieve JWT token via OIDC Endpoint
- Login to Keycloak using API
- Keycloak: How to login only through identity provider
- Unable to authenticate with Keycloak using Bearer Token
- Keycloak Identity provider rest endpoint to login with identity provider
- Keycloak authentication: how can a external user get an token without exposing client secret
- Keycloak user authorization openid-protocol Rest API
- Custom Authentication using Keycloak
- Get authorization code from Keycloak token endpoint
- OAuth2 authorization interface using KeyCloak