When testing REST services secured by Keycloak you need to retrieve access tokens via Postman or similar REST client. If you want to implement your own client that has to authenticate with a token you also need to know the Keycloak OpenID endpoints in order to retrieve the access token, refresh it or to end the session (logout).
Retreiving the tokens for a public client using username and password
Public client is typically used for web applications and other client side apps.
Method: | POST |
URL: | https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/token |
Body type: | x-www-form-urlencoded |
Form fields: | |
client_id | <my-client-name> |
grant_type | password |
username | <username> |
password | <password> |
Retreiving the tokens for a confidential client using client secret
Confidential client is typically used for secure apps on the back-end.
Method: | POST |
URL: | https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/token |
Body type: | x-www-form-urlencoded |
Form fields: | |
client_id | <my-confidential-client-name> |
grant_type | client_credentials |
client_secret | <my-client-secret> |
Retreive an access token with a refresh token
The first two methods will yield you an access token which you use in the Authorization HTTP header and a refresh token which you save for later. Refresh tokens have much longer expire time as access tokens. The idea is that when the access token expires you use the refresh token to get a new access token. This request also gives you a new refresh token so you can keep the session alive until maximum refresh token expire time is reached. Refresh token expire time equals the session expire time.
Method: | POST |
URL: | https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/token |
Body type: | x-www-form-urlencoded |
Form fields: | |
client_id | <my-client-name> |
grant_type | refresh_token |
refresh_token | <my-refresh-token> |
Logout the session
To logout and invalidate the session, call a /logout endpoint with your refresh token. The validity of the refresh token is essentially the validity of your entire session.
Method: | POST |
URL: | https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/logout |
Body type: | x-www-form-urlencoded |
Form fields: | |
client_id | <my-client-name> |
refresh_token | <my-refresh-token> |