How to get your custom access tokens from Keycloak

Transcript

1. How to get your custom access tokens from Keycloak Alexander

   Schwartz | Keycloak Maintainer KubeCon India | Hyderabad (IN) | 2025-08-06

2. Get the tokens via OpenID Connect. Keycloak encodes access tokens

   as JSON Web Token (JWT) GET /admin/realms/master/... HTTP/1.1 Accept: */* Authorization: Bearer eyJhb...OQN8A User-Agent: Mozilla... Access tokens are passports for your API Requests

3. { "exp": 1754241348, "iat": 1754241288, "iss": "http://127.0.0.1:8080/realms/master", "aud": "account", "sub":

   "8992fb2f-a4cd-4e2e-b90c-a0efe6a57b01", "acr": "0", "resource_access": { "account": { "roles": [ "manage-account", "manage-account-links" ] } }, "email_verified": false, "name": "Theo Tester", "preferred_username": "demo", Decode the JWT or call the token introspection Each item is a claim.

4. Customize tokens by configuration • Create scopes to group the

   claims • Make scopes optional, enabled by default, or disabled per client • Map claims to scopes or individual clients • Decide if information is available in in the access token, ID token or only via the token introspection endpoint

5. Customize tokens at runtime • Clients request scopes at the

   time of login • Clients use token exchange to re-scope a token for the right audience and scopes POST ${token endpoint} ... grant_type=urn:ietf:params:oauth:grant-type:token-exchange& subject_token=...& subject_token_type=...& requested_token_type=... GET ${authorization_endpoint} + "&scope=openid+email+address..."

6. Get your custom tokens with Keycloak • Admins configure mappers

   and scopes per client. Build your own mappers as an extension if needed. • Clients ask for scopes in the authentication flow. • Use token exchange to re-scope tokens. Delegate Authentication and a Lot More To Keycloak With OpenID Connect Aug 6 12:10 IST @ MRG 1-6 Project table Aug 6: 3:10 pm - 7:15 pm / Aug 7: 1:25 pm - 3:50 pm www.keycloak.org

7. • Keycloak https://www.keycloak.org/ • Keycloak Token Exchange https://www.keycloak.org/securing-apps/token-exchange • Keycloak

   at KubeCon India https://www.keycloak.org/2025/06/keycloak-kubecon25-india-announce Links

8. Contact Alexander Schwartz Principal Software Engineer [email protected] https://www.ahus1.de @ahus1.de @[email protected]