Keycloak Client Credentials Flow Clarification

12
votes

I am using Keycloak server to implement SSO. I am able to get access token for a specific client using client_credentials flow.

However, my observation is that the access token is granted for internal service account of the client. I would like to get access token for other users present in realm by providing some additional parameter to the token endpoint.

Below is the current request I make to token endpoint using Postman Chrome extension:

POST http://localhost:8080/auth/realms/<realm>/protocol/<protocol>/token

x-www-form-urlencoded

grant_type        client_credentials
client_id         <client_id>
client_secret     <client_secret>

Please let me know if this possible. Also, I would like to convey that am totally new to Keycloak and openid-connect protocol.

1
openid-connectkeycloak

1 Answers

19
votes

I think you're misunderstanding some Oauth concepts right here. The client_credentials grant should only be used for a service itself to grant access to an specific resource. Imagine this scenario:

End User -> Docs Service -> Docs Repo

The end user has access to some docs stored in the repo through the docs service. In this case, the service makes the decision to grant the user access to a specific document or not, since the repo is a mere content server. Obviously, both of them are secured through two different keycloak clients.

However, the docs service needs to have full access to the repo. He can access any document he requests. The solution is to give the docs service a service account role, let's say DOC_MANAGER and make the repo check for this role when a resource is requested. The service authenticates with client_credentials and gets access to the resource as a service.

But the end user will perform a standard login, using the Authorization code flow, for example, and get access to the doc through the service. The service will check for another role, let's say DOC_USER and check whether the user has access to this concrete resource or not, before going to the repo.

You can read more about keycloak service accounts here.