Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to get your custom access tokens from Keycloak

How to get your custom access tokens from Keycloak

Access tokens open the doors to APIs, and Keycloak and OpenID Connect provide you the ways to get them. The authentication code flow provides them to users and the client credential grant provides it to services. With token exchange, you can swap one token for another with the right audience and scopes so it fits the APIs.

Avatar for Alexander Schwartz

Alexander Schwartz

August 04, 2025
Tweet

More Decks by Alexander Schwartz

Other Decks in Technology

Transcript

  1. How to get your custom access tokens from Keycloak Alexander

    Schwartz | Keycloak Maintainer KubeCon India | Hyderabad (IN) | 2025-08-06
  2. Get the tokens via OpenID Connect. Keycloak encodes access tokens

    as JSON Web Token (JWT) GET /admin/realms/master/... HTTP/1.1 Accept: */* Authorization: Bearer eyJhb...OQN8A User-Agent: Mozilla... Access tokens are passports for your API Requests
  3. { "exp": 1754241348, "iat": 1754241288, "iss": "http://127.0.0.1:8080/realms/master", "aud": "account", "sub":

    "8992fb2f-a4cd-4e2e-b90c-a0efe6a57b01", "acr": "0", "resource_access": { "account": { "roles": [ "manage-account", "manage-account-links" ] } }, "email_verified": false, "name": "Theo Tester", "preferred_username": "demo", Decode the JWT or call the token introspection Each item is a claim.
  4. Customize tokens by configuration • Create scopes to group the

    claims • Make scopes optional, enabled by default, or disabled per client • Map claims to scopes or individual clients • Decide if information is available in in the access token, ID token or only via the token introspection endpoint
  5. Customize tokens at runtime • Clients request scopes at the

    time of login • Clients use token exchange to re-scope a token for the right audience and scopes POST ${token endpoint} ... grant_type=urn:ietf:params:oauth:grant-type:token-exchange& subject_token=...& subject_token_type=...& requested_token_type=... GET ${authorization_endpoint} + "&scope=openid+email+address..."
  6. Get your custom tokens with Keycloak • Admins configure mappers

    and scopes per client. Build your own mappers as an extension if needed. • Clients ask for scopes in the authentication flow. • Use token exchange to re-scope tokens. Delegate Authentication and a Lot More To Keycloak With OpenID Connect Aug 6 12:10 IST @ MRG 1-6 Project table Aug 6: 3:10 pm - 7:15 pm / Aug 7: 1:25 pm - 3:50 pm www.keycloak.org
  7. • Keycloak https://www.keycloak.org/ • Keycloak Token Exchange https://www.keycloak.org/securing-apps/token-exchange • Keycloak

    at KubeCon India https://www.keycloak.org/2025/06/keycloak-kubecon25-india-announce Links