Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to get your custom access tokens from Keycloak

Avatar for Alexander Schwartz Alexander Schwartz
August 04, 2025
Technology
0
44

How to get your custom access tokens from Keycloak

Access tokens open the doors to APIs, and Keycloak and OpenID Connect provide you the ways to get them. The authentication code flow provides them to users and the client credential grant provides it to services. With token exchange, you can swap one token for another with the right audience and scopes so it fits the APIs.

Avatar for Alexander Schwartz

Alexander Schwartz

August 04, 2025
Tweet

More Decks by Alexander Schwartz

See All by Alexander Schwartz
Delegate authentication and a lot more to Keycloak with OpenID Connect
Avatar for Alexander Schwartz ahus1
0
250
Making users happy with Service Level Indicators and observability
Avatar for Alexander Schwartz ahus1
0
85
Translating Keycloak is a collaborative effort
Avatar for Alexander Schwartz ahus1
1
32
How to benefit from the latest Keycloak features
Avatar for Alexander Schwartz ahus1
0
320
Evolving real-world AsciiDoc into a specification and how it will help the ecosystem
Avatar for Alexander Schwartz ahus1
1
160
Using DPoP to use access tokens securely in your Single Page Applications
Avatar for Alexander Schwartz ahus1
0
110
Online-Dokumentation, die hilft: Strukturen, Prozesse, Tools
Avatar for Alexander Schwartz ahus1
0
190
What’s new in Keycloak, the open source IAM?
Avatar for Alexander Schwartz ahus1
1
280
Running a highly available Identity and Access Management with Keycloak
Avatar for Alexander Schwartz ahus1
0
190

Other Decks in Technology

See All in Technology
AIエージェント就活入門 - MCPが履歴書になる未来
Avatar for Ikko Eltociear Ashimine eltociear
0
550
Goでマークダウンの独自記法を実装する
Avatar for lag129 lag129
0
220
ドキュメントはAIの味方!スタートアップのアジャイルを加速するADR
Avatar for かわうそ kawauso
3
410
帳票Vibe Coding
Avatar for terurou terurou
0
140
「AI2027」を紐解く ― AGI・ASI・シンギュラリティ
Avatar for Masaya Mori (森正弥) / CAIO (Chief AI Officer) masayamoriofficial
0
110
Webアクセシビリティ入門
Avatar for Recruit recruitengineers
PRO
2
410
【 LLMエンジニアがヒューマノイド開発に挑んでみた 】 - 第104回 Machine Learning 15minutes! Hybrid
Avatar for soneo1127 soneo1127
0
120
JOAI発表資料 @ 関東kaggler会
Avatar for 日本人工知能オリンピック joai_committee
1
380
AIとTDDによるNext.js「隙間ツール」開発の実践
Avatar for Makoto Tateno makotot
6
720
[OCI Skill Mapping] AWSユーザーのためのOCI(2025年8月20日開催)
Avatar for oracle4engineer oracle4engineer
PRO
2
150
我々は雰囲気で仕事をしている / How can we do vibe coding as well
Avatar for Naomi Yamasaki naospon
2
220
モバイルアプリ研修
Avatar for Recruit recruitengineers
PRO
4
430

Featured

See All Featured
How GitHub (no longer) Works
Avatar for Zach Holman holman
315
140k
The Cost Of JavaScript in 2023
Avatar for Addy Osmani addyosmani
53
8.8k
GraphQLとの向き合い方2022年版
Avatar for Yosuke Kurami quramy
49
14k
Fight the Zombie Pattern Library - RWD Summit 2016
Avatar for Marcelo Somers marcelosomers
234
17k
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
16k
Embracing the Ebb and Flow
Avatar for Simon Collison colly
87
4.8k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Avatar for Marc Duiker marcduiker
31
2.2k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
Avatar for Addy Osmani addyosmani
7
820
The Invisible Side of Design
Avatar for Vitaly Friedman smashingmag
301
51k
Music & Morning Musume
Avatar for Bryan Veloso bryan
46
6.7k
The MySQL Ecosystem @ GitHub 2015
Avatar for Sam Lambert samlambert
251
13k
Optimising Largest Contentful Paint
Avatar for Harry Roberts csswizardry
37
3.4k

Transcript

  1. How to get your custom access tokens from Keycloak Alexander

    Schwartz | Keycloak Maintainer KubeCon India | Hyderabad (IN) | 2025-08-06

  2. Get the tokens via OpenID Connect. Keycloak encodes access tokens

    as JSON Web Token (JWT) GET /admin/realms/master/... HTTP/1.1 Accept: */* Authorization: Bearer eyJhb...OQN8A User-Agent: Mozilla... Access tokens are passports for your API Requests

  3. { "exp": 1754241348, "iat": 1754241288, "iss": "http://127.0.0.1:8080/realms/master", "aud": "account", "sub":

    "8992fb2f-a4cd-4e2e-b90c-a0efe6a57b01", "acr": "0", "resource_access": { "account": { "roles": [ "manage-account", "manage-account-links" ] } }, "email_verified": false, "name": "Theo Tester", "preferred_username": "demo", Decode the JWT or call the token introspection Each item is a claim.

  4. Customize tokens by configuration • Create scopes to group the

    claims • Make scopes optional, enabled by default, or disabled per client • Map claims to scopes or individual clients • Decide if information is available in in the access token, ID token or only via the token introspection endpoint

  5. Customize tokens at runtime • Clients request scopes at the

    time of login • Clients use token exchange to re-scope a token for the right audience and scopes POST ${token endpoint} ... grant_type=urn:ietf:params:oauth:grant-type:token-exchange& subject_token=...& subject_token_type=...& requested_token_type=... GET ${authorization_endpoint} + "&scope=openid+email+address..."

  6. Get your custom tokens with Keycloak • Admins configure mappers

    and scopes per client. Build your own mappers as an extension if needed. • Clients ask for scopes in the authentication flow. • Use token exchange to re-scope tokens. Delegate Authentication and a Lot More To Keycloak With OpenID Connect Aug 6 12:10 IST @ MRG 1-6 Project table Aug 6: 3:10 pm - 7:15 pm / Aug 7: 1:25 pm - 3:50 pm www.keycloak.org

  7. • Keycloak https://www.keycloak.org/ • Keycloak Token Exchange https://www.keycloak.org/securing-apps/token-exchange • Keycloak

    at KubeCon India https://www.keycloak.org/2025/06/keycloak-kubecon25-india-announce Links

  8. Contact Alexander Schwartz Principal Software Engineer [email protected] https://www.ahus1.de @ahus1.de @[email protected]