user8893788
Reputation:
From openid-configuration to user JWT information by curl
I am looking for user's information full steps from OpenID configuration to user information by curl in Keycloak.
I can get openid-configuration API via curl
curl --location --request GET 'http://localhost:8080/auth/realms/my-realm/.well-known/openid-configuration'
I got this result but have no idea what is next step. Can you someone help me how to get a JWT token and get a user information by curl commend?
{
"issuer": "http://localhost:8080/auth/realms/my-realm",
"authorization_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/auth",
"token_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/token",
"introspection_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/userinfo",
"end_session_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/logout",
"frontchannel_logout_session_supported": true,
"frontchannel_logout_supported": true,
"jwks_uri": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/certs",
"check_session_iframe": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials",
"urn:ietf:params:oauth:grant-type:device_code",
"urn:openid:params:grant-type:ciba"
],
"response_types_supported": [
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"subject_types_supported": [
"public",
"pairwise"
],
"id_token_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"id_token_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"id_token_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"userinfo_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"request_object_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"request_object_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"request_object_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"response_modes_supported": [
"query",
"fragment",
"form_post",
"query.jwt",
"fragment.jwt",
"form_post.jwt",
"jwt"
],
"registration_endpoint": "http://localhost:8080/auth/realms/my-realm/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"token_endpoint_auth_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"introspection_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"introspection_endpoint_auth_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"authorization_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"authorization_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"authorization_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"claims_supported": [
"aud",
"sub",
"iss",
"auth_time",
"name",
"given_name",
"family_name",
"preferred_username",
"email",
"acr"
],
"claim_types_supported": [
"normal"
],
"claims_parameter_supported": true,
"scopes_supported": [
"openid",
"roles",
"profile",
"web-origins",
"microprofile-jwt",
"phone",
"address",
"offline_access",
"email"
],
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"require_request_uri_registration": true,
"code_challenge_methods_supported": [
"plain",
"S256"
],
"tls_client_certificate_bound_access_tokens": true,
"revocation_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/revoke",
"revocation_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"revocation_endpoint_auth_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"backchannel_logout_supported": true,
"backchannel_logout_session_supported": true,
"device_authorization_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/auth/device",
"backchannel_token_delivery_modes_supported": [
"poll",
"ping"
],
"backchannel_authentication_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/ext/ciba/auth",
"backchannel_authentication_request_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"ES256",
"RS256",
"ES512",
"PS256",
"PS512",
"RS512"
],
"require_pushed_authorization_requests": false,
"pushed_authorization_request_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/ext/par/request",
"mtls_endpoint_aliases": {
"token_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/token",
"revocation_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/revoke",
"introspection_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/token/introspect",
"device_authorization_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/auth/device",
"registration_endpoint": "http://localhost:8080/auth/realms/my-realm/clients-registrations/openid-connect",
"userinfo_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/userinfo",
"pushed_authorization_request_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/ext/par/request",
"backchannel_authentication_endpoint": "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/ext/ciba/auth"
}
}
Upvotes: 0
Views: 1286
Answers (1)
Bench Vue
Reputation: 9370
Here is step for get user information from get openid-configuration
1 get access token URL
TOKEN_URL=$(curl --location --request GET 'http://localhost:8180/auth/realms/test/.well-known/openid-configuration' | jq -r '.token_endpoint')
echo $TOKEN_URL
result
http://localhost:8180/auth/realms/test/protocol/openid-connect/token
2 get ID token form #1
ID_TOKEN=$(curl --location --request POST "$TOKEN_URL" \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=admin-cli' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'scope=openid' \
--data-urlencode 'username=user' \
--data-urlencode 'password=1234' | jq -r '.id_token')
echo $ID_TOKEN
result
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrTXNKN25mdUFpYWFBYXhZeFp2WXo3WWVFaVh6Nk5hZzV6LXMyazFreUpNIn0.eyJleHAiOjE2NjQxNjA4OTQsImlhdCI6MTY2NDE2MDU5NCwiYXV0aF90aW1lIjowLCJqdGkiOiJiMjdhN2MyZC01ZDA3LTQxZWYtYWYyMS01OTA3NGUxNGFkMjQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvdGVzdCIsImF1ZCI6ImFkbWluLWNsaSIsInN1YiI6IjM5MTJjNmQwLWYyMTAtNGJlZC04YzU2LTcwMzY0ZDIyOGFkZCIsInR5cCI6IklEIiwiYXpwIjoiYWRtaW4tY2xpIiwic2Vzc2lvbl9zdGF0ZSI6IjEwMDk2NWUwLTIyMTAtNGJlNS05MDNlLWM4MzRmNGNiZGE0OCIsImF0X2hhc2giOiJVcGFGN3RvemxLa2d0R2laRkNPM1ZRIiwiYWNyIjoiMSIsInNpZCI6IjEwMDk2NWUwLTIyMTAtNGJlNS05MDNlLWM4MzRmNGNiZGE0OCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidXNlciIsImVtYWlsIjoidXNlckB0ZXN0LmNvbSJ9.EFxqpiFkevbyipH2iSXRtYufTz-DAeC7Hd8a2Oz8zyhJN8LLu8yXJGgKRDpqkBvhbALo51CEbzlp9l0a5LDmDLAqOABS4nRdB5QFw69nCngACEirPyw-rMmvM7flsM3i4Yyl49kX8DZ2Y-E5KSuUIDN2-qe8DYFlJh-pw5oGRa6pKAdjyJ72hUP5tCfFGmDi_iU_6nSFXBZPXG0pETTQ_OqW6OFE1xAjp5dV0GuSjHKa8q0cDBkUmWnj0zpxQB0TQjh6e3WkSrJNmnWT4mqoUbwjDHXKelw-P6jbbewTAMugA01uPJWDH1sUBfkpJWTM9BHo3-kXEMYLsLjh5PQeuQ
3 decode ID token
jwtd() {
if [[ -x $(command -v jq) ]]; then
jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' <<< "${1}"
echo "Signature: $(echo "${1}" | awk -F'.' '{print $3}')"
fi
}
jwtd $ID_TOKEN
result
{
"alg": "RS256",
"typ": "JWT",
"kid": "kMsJ7nfuAiaaAaxYxZvYz7YeEiXz6Nag5z-s2k1kyJM"
}
{
"exp": 1664160894,
"iat": 1664160594,
"auth_time": 0,
"jti": "b27a7c2d-5d07-41ef-af21-59074e14ad24",
"iss": "http://localhost:8180/auth/realms/test",
"aud": "admin-cli",
"sub": "3912c6d0-f210-4bed-8c56-70364d228add",
"typ": "ID",
"azp": "admin-cli",
"session_state": "100965e0-2210-4be5-903e-c834f4cbda48",
"at_hash": "UpaF7tozlKkgtGiZFCO3VQ",
"acr": "1",
"sid": "100965e0-2210-4be5-903e-c834f4cbda48",
"email_verified": false,
"preferred_username": "user",
"email": "[email protected]"
}
Signature: EFxqpiFkevbyipH2iSXRtYufTz-DAeC7Hd8a2Oz8zyhJN8LLu8yXJGgKRDpqkBvhbALo51CEbzlp9l0a5LDmDLAqOABS4nRdB5QFw69nCngACEirPyw-rMmvM7flsM3i4Yyl49kX8DZ2Y-E5KSuUIDN2-qe8DYFlJh-pw5oGRa6pKAdjyJ72hUP5tCfFGmDi_iU_6nSFXBZPXG0pETTQ_OqW6OFE1xAjp5dV0GuSjHKa8q0cDBkUmWnj0zpxQB0TQjh6e3WkSrJNmnWT4mqoUbwjDHXKelw-P6jbbewTAMugA01uPJWDH1sUBfkpJWTM9BHo3-kXEMYLsLjh5PQeuQ
I referenced Decoding JSON Web Tokens (JWTs) from the Linux command line
Upvotes: 1
Related Questions
- Keycloak - Retrieve JWT token via OIDC Endpoint
- How to request user info with openid connect
- Keycloak user authorization openid-protocol Rest API
- Configuring Keycloak through its REST API with cUrl
- How to get client secret from Keycloak using curl?
- How to generate jwt token through keycloak rest api?
- Get authorization code from Keycloak token endpoint
- Obtaining JWT of a user in Keycloak
- Use cURL with Kerberos to auth on Keycloak
- OpenId via Curl