Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to get your custom access tokens from Keycloak

Avatar for Alexander Schwartz Alexander Schwartz
August 04, 2025
Technology
0
2

How to get your custom access tokens from Keycloak

Access tokens open the doors to APIs, and Keycloak and OpenID Connect provide you the ways to get them. The authentication code flow provides them to users and the client credential grant provides it to services. With token exchange, you can swap one token for another with the right audience and scopes so it fits the APIs.

Avatar for Alexander Schwartz

Alexander Schwartz

August 04, 2025
Tweet

More Decks by Alexander Schwartz

See All by Alexander Schwartz
Delegating the chores of authenticating users to Keycloak
Avatar for Alexander Schwartz ahus1
0
200
Making users happy with Service Level Indicators and observability
Avatar for Alexander Schwartz ahus1
0
80
Translating Keycloak is a collaborative effort
Avatar for Alexander Schwartz ahus1
1
27
How to benefit from the latest Keycloak features
Avatar for Alexander Schwartz ahus1
0
310
Evolving real-world AsciiDoc into a specification and how it will help the ecosystem
Avatar for Alexander Schwartz ahus1
1
150
Using DPoP to use access tokens securely in your Single Page Applications
Avatar for Alexander Schwartz ahus1
0
110
Online-Dokumentation, die hilft: Strukturen, Prozesse, Tools
Avatar for Alexander Schwartz ahus1
0
180
What’s new in Keycloak, the open source IAM?
Avatar for Alexander Schwartz ahus1
1
270
Running a highly available Identity and Access Management with Keycloak
Avatar for Alexander Schwartz ahus1
0
180

Other Decks in Technology

See All in Technology
SAE J1939シミュレーション環境構築
Avatar for okzkey daikiokazaki
1
210
モバイルゲームの開発を支える基盤の歩み ~再現性のある開発ラインを量産する秘訣~
Avatar for QualiArts qualiarts
0
1k
LIFF CLIとngrokを使ったLIFF/LINEミニアプリのお手軽実機確認
Avatar for morimorikochan diggymo
0
140
マルチモーダル基盤モデルに基づく動画と音の解析技術
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
4
410
私とAWSとの関わりの歩み~意志あるところに道は開けるかも?~
Avatar for nagisa_53 nagisa53
1
150
Microsoft Learn MCP/Fabric データエージェント/Fabric MCP/Copilot Studio-簡単・便利なAIエージェント作ってみた -"Building Simple and Powerful AI Agents with Microsoft Learn MCP, Fabric Data Agent, Fabric MCP, and Copilot Studio"-
Avatar for 大竹礼二(REIJI OTAKE) reireireijinjin6
1
210
ファインディにおける Dataform ブランチ戦略
Avatar for Noriaki Hiraki hiracky16
0
250
From Live Coding to Vibe Coding with Firebase Studio
Avatar for Firebase Thailand firebasethailand
1
390
クマ×共生 HACKATHON - 熊対策を『特別な行動」から「生活の一部」に -
Avatar for ふぁらお加藤 pharaohkj
0
270
alecthomas/kong はいいぞ
Avatar for FUJIWARA Shunichiro fujiwara3
6
1.3k
AI駆動開発 with MixLeap Study【大阪支部 #3】
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
300
Claude CodeでKiroの仕様駆動開発を実現させるには...
Avatar for Gota gotalab555
2
400

Featured

See All Featured
Balancing Empowerment & Direction
Avatar for Lara Hogan lara
1
520
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
29
2.8k
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
235
140k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.4k
What's in a price? How to price your products and services
Avatar for Michael Herold michaelherold
246
12k
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
44
7.6k
A Modern Web Designer's Workflow
Avatar for Chris Coyier chriscoyier
695
190k
Optimising Largest Contentful Paint
Avatar for Harry Roberts csswizardry
37
3.4k
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
379
70k
The Art of Programming - Codeland 2020
Avatar for Erika Heidi erikaheidi
54
13k
Music & Morning Musume
Avatar for Bryan Veloso bryan
46
6.7k
Writing Fast Ruby
Avatar for Erik Berlin sferik
628
62k

Transcript

  1. How to get your custom access tokens from Keycloak Alexander

    Schwartz | Keycloak Maintainer KubeCon India | Hyderabad (IN) | 2025-08-06

  2. Get the tokens via OpenID Connect. Keycloak encodes access tokens

    as JSON Web Token (JWT) GET /admin/realms/master/... HTTP/1.1 Accept: */* Authorization: Bearer eyJhb...OQN8A User-Agent: Mozilla... Access tokens are passports for your API Requests

  3. { "exp": 1754241348, "iat": 1754241288, "iss": "http://127.0.0.1:8080/realms/master", "aud": "account", "sub":

    "8992fb2f-a4cd-4e2e-b90c-a0efe6a57b01", "acr": "0", "resource_access": { "account": { "roles": [ "manage-account", "manage-account-links" ] } }, "email_verified": false, "name": "Theo Tester", "preferred_username": "demo", Decode the JWT or call the token introspection Each item is a claim.

  4. Customize tokens by configuration • Create scopes to group the

    claims • Make scopes optional, enabled by default, or disabled per client • Map claims to scopes or individual clients • Decide if information is available in in the access token, ID token or only via the token introspection endpoint

  5. Customize tokens at runtime • Clients request scopes at the

    time of login • Clients use token exchange to re-scope a token for the right audience and scopes POST ${token endpoint} ... grant_type=urn:ietf:params:oauth:grant-type:token-exchange& subject_token=...& subject_token_type=...& requested_token_type=... GET ${authorization_endpoint} + "&scope=openid+email+address..."

  6. Get your custom tokens with Keycloak • Admins configure mappers

    and scopes per client. Build your own mappers as an extension if needed. • Clients ask for scopes in the authentication flow. • Use token exchange to re-scope tokens. Delegate Authentication and a Lot More To Keycloak With OpenID Connect Aug 6 12:10 IST @ MRG 1-6 Project table Aug 6: 3:10 pm - 7:15 pm / Aug 7: 1:25 pm - 3:50 pm www.keycloak.org

  7. • Keycloak https://www.keycloak.org/ • Keycloak Token Exchange https://www.keycloak.org/securing-apps/token-exchange • Keycloak

    at KubeCon India https://www.keycloak.org/2025/06/keycloak-kubecon25-india-announce Links

  8. Contact Alexander Schwartz Principal Software Engineer [email protected] https://www.ahus1.de @ahus1.de @[email protected]