How can I get acces token and refresh token in keycloak?-CodePudding

Is there any way I can get contents of the post request for access tokens(http://localhost:8484/auth/realms/my_realm/protocol/openid-connect/token) and get both tokens on the screen in get request?

CodePudding user response：

Well, there is no such api from Keycloak where you can get both access token and refresh token in a get request, it is possible only via the POST(api).
If your only intention is to view the token's for development then you can use chrome dev tools, or log them in your spring boot app.

CodePudding user response：

If you POST get tokens (access and refresh) this command, you can get both tokens.

#1 curl demo

curl -v \
-d "client_id=admin-cli" \
-d "username=user" \
-d "password=1234" \
-d "grant_type=password" \
-X \
POST "http://localhost:8484/auth/realms/test/protocol/openid-connect/token" | jq

This is result

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrTXNKN25mdUFpYWFBYXhZeFp2WXo3WWVFaVh6Nk5hZzV6LXMyazFreUpNIn0.eyJleHAiOjE2NjU2NTU1ODQsImlhdCI6MTY2NTY1NTI4NCwianRpIjoiZjQwYWJmMGMtZjA2OS00YWFiLTg3YWUtN2M0MDA5ZmY3ZDY1IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4NDg0L2F1dGgvcmVhbG1zL3Rlc3QiLCJzdWIiOiIzOTEyYzZkMC1mMjEwLTRiZWQtOGM1Ni03MDM2NGQyMjhhZGQiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJzZXNzaW9uX3N0YXRlIjoiZTNiOThiYTItYjYzNS00MWYxLTg0YTktZTk1YzZiZDZmM2E5Iiwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwic2lkIjoiZTNiOThiYTItYjYzNS00MWYxLTg0YTktZTk1YzZiZDZmM2E5IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIiwiZW1haWwiOiJ1c2VyQHRlc3QuY29tIn0.BzPrRNdgdyDgg7Y0BNNuAVDfC9NBOyo97JBpw-kfRr-NRPfcP27ch3FONC108v4GQqOLTLF0Z5y6SoQr2BcX9ZFqBm5d8_tSn2XSVSoxWh_ci91PYzfs4656_QLV2TBcTPrW69Z-5oCEUEGZjpKW2UsavEonwTlop80xoDVTpvfgfq-pv0gh8tX6260weynIxSALiy8srFs6ExHp8IGqp-bKNPXM35nM9BX9gPgKPrrbe-IenXO37ESazubqhdtznzcCEDFrTNnOKR87hiFcInx28o2sBMhcDiZxPbaIfNhCpENxnoeNPHFnVA6wayjaJSiBxKVO8EMVaOSlDTRS9w",
  "expires_in": 300,
  "refresh_expires_in": 1800,
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhMTdkM2U5Yi1kMThlLTQyOGQtYTUxYS0xYzdiMzhkYTkxYjgifQ.eyJleHAiOjE2NjU2NTcwODQsImlhdCI6MTY2NTY1NTI4NCwianRpIjoiYjk1MTA1NGEtYjU5ZC00NjIxLWEwOGYtMDMxOWZkYjc1ZTA2IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4NDg0L2F1dGgvcmVhbG1zL3Rlc3QiLCJhdWQiOiJodHRwOi8vbG9jYWxob3N0Ojg0ODQvYXV0aC9yZWFsbXMvdGVzdCIsInN1YiI6IjM5MTJjNmQwLWYyMTAtNGJlZC04YzU2LTcwMzY0ZDIyOGFkZCIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJhZG1pbi1jbGkiLCJzZXNzaW9uX3N0YXRlIjoiZTNiOThiYTItYjYzNS00MWYxLTg0YTktZTk1YzZiZDZmM2E5Iiwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwic2lkIjoiZTNiOThiYTItYjYzNS00MWYxLTg0YTktZTk1YzZiZDZmM2E5In0.UDV1fBhW8I7E9IELNK7XOvpy-6FJ_Bdir1wujYNvK_U",
  "token_type": "Bearer",
  "not-before-policy": 0,
  "session_state": "e3b98ba2-b635-41f1-84a9-e95c6bd6f3a9",
  "scope": "profile email"
}

#2 You can see the content via jwt.io

copy from #1's token , paste to Encoded section

for access token content

{
  "exp": 1665655584,
  "iat": 1665655284,
  "jti": "f40abf0c-f069-4aab-87ae-7c4009ff7d65",
  "iss": "http://localhost:8484/auth/realms/test",
  "sub": "3912c6d0-f210-4bed-8c56-70364d228add",
  "typ": "Bearer",
  "azp": "admin-cli",
  "session_state": "e3b98ba2-b635-41f1-84a9-e95c6bd6f3a9",
  "scope": "profile email",
  "sid": "e3b98ba2-b635-41f1-84a9-e95c6bd6f3a9",
  "email_verified": false,
  "preferred_username": "user",
  "email": "[email protected]"
}

for refresh token content

{
  "exp": 1665657084,
  "iat": 1665655284,
  "jti": "b951054a-b59d-4621-a08f-0319fdb75e06",
  "iss": "http://localhost:8484/auth/realms/test",
  "aud": "http://localhost:8484/auth/realms/test",
  "sub": "3912c6d0-f210-4bed-8c56-70364d228add",
  "typ": "Refresh",
  "azp": "admin-cli",
  "session_state": "e3b98ba2-b635-41f1-84a9-e95c6bd6f3a9",
  "scope": "profile email",
  "sid": "e3b98ba2-b635-41f1-84a9-e95c6bd6f3a9"
}

Decoding JWT in bash command

ACCESS_TOKEN=$(curl --location --request POST "http://localhost:8484/auth/realms/test/protocol/openid-connect/token" \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=admin-cli' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=user' \
--data-urlencode 'password=1234' | jq -r '.access_token')

Confirm access token

echo $ACCESS_TOKEN

jwtd() {
    if [[ -x $(command -v jq) ]]; then
         jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' <<< "${1}"
         echo "Signature: $(echo "${1}" | awk -F'.' '{print $3}')"
    fi
}

jwtd $ACCESS_TOKEN

result

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "kMsJ7nfuAiaaAaxYxZvYz7YeEiXz6Nag5z-s2k1kyJM"
}
{
  "exp": 1665656835,
  "iat": 1665656535,
  "jti": "6fdcd375-e721-4646-b725-4f5f23d8b103",
  "iss": "http://localhost:8484/auth/realms/test",
  "sub": "3912c6d0-f210-4bed-8c56-70364d228add",
  "typ": "Bearer",
  "azp": "admin-cli",
  "session_state": "f0353bdd-0a08-49eb-bc2a-111ceb59dc56",
  "scope": "profile email",
  "sid": "f0353bdd-0a08-49eb-bc2a-111ceb59dc56",
  "email_verified": false,
  "preferred_username": "user",
  "email": "[email protected]"
}

Same way to get refresh token

REFRESH_TOKEN=$(curl --location --request POST "http://localhost:8484/auth/realms/test/protocol/openid-connect/token" \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=admin-cli' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=user' \
--data-urlencode 'password=1234' | jq -r '.refresh_token')

jwtd $REFRESH_TOKEN

result

$ jwtd $REFRESH_TOKEN
{
  "alg": "HS256",
  "typ": "JWT",
  "kid": "a17d3e9b-d18e-428d-a51a-1c7b38da91b8"
}
{
  "exp": 1665658687,
  "iat": 1665656887,
  "jti": "287a7f90-1435-44e6-b8c8-417eda935382",
  "iss": "http://localhost:8484/auth/realms/test",
  "aud": "http://localhost:8484/auth/realms/test",
  "sub": "3912c6d0-f210-4bed-8c56-70364d228add",
  "typ": "Refresh",
  "azp": "admin-cli",
  "session_state": "4beb4f1d-fb56-42b6-99ea-d13281b8db3f",
  "scope": "profile email",
  "sid": "4beb4f1d-fb56-42b6-99ea-d13281b8db3f"
}
Signature: JAyDz4qS9Jvi4u8sHS68NPP8721MzlQXPXNaIgtD7v8