Reputation: 11
Obtain Keycloak access token from trusted client without user password
We have a client that among other things creates and manages Keycloak accounts.
Would it be possible for that client to retrieve tokens on behalf of the users without having to create any user passwords at all? In fact, we'd like to create user accounts and not set a password to start with. None of these users will ever authenticate themselves.
None of the oauth2 flows seem to really match this, and we were wondering if there is a variation of the password grant type in which the password is not required for trusted client ID/Secret.
Some options we explored so far are offline tokens and user impersonation, but the former requires persisting secrets, and the latter relies upon proprietary Keycloak features using cookies rather than standard OIDC.
Upvotes: 1
Views: 3890
Answers (1)
Reputation: 11
There's as of today an experimental oauth 2 token exchange grant type available in keycloak: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-exchange-19
As @qdivision pointed out: https://www.keycloak.org/docs/latest/securing_apps/index.html#direct-naked-impersonation And Thomas Darimont: https://blog.softwaremill.com/who-am-i-keycloak-impersonation-api-bfe7acaf051a
Upvotes: 0
Related Questions
- Keycloak - Retrieve JWT token via OIDC Endpoint
- Keycloack - get accessToken via Password grantType - requires client_secret
- Login to Keycloak using API
- how can I generate a Keycloak user access token without password?
- Get login credentials from Keycloak accessToken
- Allow client to retrieve users from keycloak
- How to obtain access token in webapp without login form (keycloak)
- Keycloak authentication: how can a external user get an token without exposing client secret
- How to get client secret from Keycloak using curl?
- Get authorization code from Keycloak token endpoint