Keycloak
23 строки · 1.5 Кб
1
2=== Retrieving external IDP tokens
3
4{project_name} allows you to store tokens and responses from the authentication process with the external IDP.
5For that, you can use the `Store Token` configuration option on the IDP's settings page.
6
7Application code can retrieve these tokens and responses to pull in extra user information, or to securely invoke requests on the external IDP.
8For example, an application might want to use the Google token to invoke on other Google services and REST APIs.
9To retrieve a token for a particular identity provider you need to send a request as follows:
10
11[source,subs="attributes+"]
12----
13GET {kc_realms_path}/{realm}/broker/{provider_alias}/token HTTP/1.1
14Host: localhost:8080
15Authorization: Bearer <KEYCLOAK ACCESS TOKEN>
16----
17
18An application must have authenticated with {project_name} and have received an access token. This access token
19will need to have the `broker` client-level role `read-token` set. This means that the user must have a role mapping for this role
20and the client application must have that role within its scope.
21In this case, given that you are accessing a protected service in {project_name}, you need to send the access token issued by {project_name} during the user authentication.
22In the broker configuration page you can automatically assign this role to newly imported users by turning on the `Stored Tokens Readable` switch.
23
24These external tokens can be re-established by either logging in again through the provider, or using the client initiated account linking API.
25
26
27