Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to get your custom access tokens from Keycloak

Avatar for Alexander Schwartz Alexander Schwartz
August 04, 2025
Technology
0
43

How to get your custom access tokens from Keycloak

Access tokens open the doors to APIs, and Keycloak and OpenID Connect provide you the ways to get them. The authentication code flow provides them to users and the client credential grant provides it to services. With token exchange, you can swap one token for another with the right audience and scopes so it fits the APIs.

Avatar for Alexander Schwartz

Alexander Schwartz

August 04, 2025
Tweet

More Decks by Alexander Schwartz

See All by Alexander Schwartz
Delegate authentication and a lot more to Keycloak with OpenID Connect
Avatar for Alexander Schwartz ahus1
0
240
Making users happy with Service Level Indicators and observability
Avatar for Alexander Schwartz ahus1
0
85
Translating Keycloak is a collaborative effort
Avatar for Alexander Schwartz ahus1
1
32
How to benefit from the latest Keycloak features
Avatar for Alexander Schwartz ahus1
0
320
Evolving real-world AsciiDoc into a specification and how it will help the ecosystem
Avatar for Alexander Schwartz ahus1
1
160
Using DPoP to use access tokens securely in your Single Page Applications
Avatar for Alexander Schwartz ahus1
0
110
Online-Dokumentation, die hilft: Strukturen, Prozesse, Tools
Avatar for Alexander Schwartz ahus1
0
180
What’s new in Keycloak, the open source IAM?
Avatar for Alexander Schwartz ahus1
1
280
Running a highly available Identity and Access Management with Keycloak
Avatar for Alexander Schwartz ahus1
0
190

Other Decks in Technology

See All in Technology
[OCI Technical Deep Dive] OCIで生成AIを活用するためのソリューション解説(2025年8月5日開催)
Avatar for oracle4engineer oracle4engineer
PRO
0
130
GISエンジニアよ 現場に行け!
Avatar for ブーチョ sudataka
1
140
ウォンテッドリーのアラート設計と Datadog 移行での知見
Avatar for Kazuki Obata donkomura
0
260
サイボウズフロントエンドの横断活動から考える AI時代にできること
Avatar for mugi / Hajime Mugishima mugi_uno
3
1.3k
S3のライフサイクル設計でハマったポイント
Avatar for Kumada mkumada
0
100
第64回コンピュータビジョン勉強会@関東(後編)
Avatar for TSUKAMOTO Kenji tsukamotokenji
0
210
マイクロモビリティシェアサービスを支える プラットフォームアーキテクチャ
Avatar for gr1m0h grimoh
1
130
Oracle Exadata Database Service on Cloud@Customer X11M (ExaDB-C@C) サービス概要
Avatar for oracle4engineer oracle4engineer
PRO
2
6.4k
Amazon Inspector コードセキュリティで手軽に実現するシフトレフト
Avatar for mai miya maimyyym
0
150
MySQL HeatWave:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
4
1.6k
歴代のWeb Speed Hackathonの出題から考えるデグレしないパフォーマンス改善
Avatar for did0es shuta13
6
570
意志の力が9割。アニメから学ぶAI時代のこれから。
Avatar for Endo_Hizumi endohizumi
1
110

Featured

See All Featured
The Success of Rails: Ensuring Growth for the Next 100 Years
Avatar for Eileen M. Uchitelle eileencodes
46
7.6k
Automating Front-end Workflow
Avatar for Addy Osmani addyosmani
1370
200k
What’s in a name? Adding method to the madness
Avatar for Product Marketing Alliance productmarketing
PRO
23
3.6k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
Avatar for Sam Stephenson sstephenson
161
15k
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
134
9.5k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
251
21k
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
44
2.4k
Speed Design
Avatar for Sergey Chernyshev sergeychernyshev
32
1.1k
The Art of Programming - Codeland 2020
Avatar for Erika Heidi erikaheidi
54
13k
Building Adaptive Systems
Avatar for Chris Keathley keathley
43
2.7k
The Psychology of Web Performance [Beyond Tellerrand 2023]
Avatar for Tammy Everts tammyeverts
49
3k
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
5.7k

Transcript

  1. How to get your custom access tokens from Keycloak Alexander

    Schwartz | Keycloak Maintainer KubeCon India | Hyderabad (IN) | 2025-08-06

  2. Get the tokens via OpenID Connect. Keycloak encodes access tokens

    as JSON Web Token (JWT) GET /admin/realms/master/... HTTP/1.1 Accept: */* Authorization: Bearer eyJhb...OQN8A User-Agent: Mozilla... Access tokens are passports for your API Requests

  3. { "exp": 1754241348, "iat": 1754241288, "iss": "http://127.0.0.1:8080/realms/master", "aud": "account", "sub":

    "8992fb2f-a4cd-4e2e-b90c-a0efe6a57b01", "acr": "0", "resource_access": { "account": { "roles": [ "manage-account", "manage-account-links" ] } }, "email_verified": false, "name": "Theo Tester", "preferred_username": "demo", Decode the JWT or call the token introspection Each item is a claim.

  4. Customize tokens by configuration • Create scopes to group the

    claims • Make scopes optional, enabled by default, or disabled per client • Map claims to scopes or individual clients • Decide if information is available in in the access token, ID token or only via the token introspection endpoint

  5. Customize tokens at runtime • Clients request scopes at the

    time of login • Clients use token exchange to re-scope a token for the right audience and scopes POST ${token endpoint} ... grant_type=urn:ietf:params:oauth:grant-type:token-exchange& subject_token=...& subject_token_type=...& requested_token_type=... GET ${authorization_endpoint} + "&scope=openid+email+address..."

  6. Get your custom tokens with Keycloak • Admins configure mappers

    and scopes per client. Build your own mappers as an extension if needed. • Clients ask for scopes in the authentication flow. • Use token exchange to re-scope tokens. Delegate Authentication and a Lot More To Keycloak With OpenID Connect Aug 6 12:10 IST @ MRG 1-6 Project table Aug 6: 3:10 pm - 7:15 pm / Aug 7: 1:25 pm - 3:50 pm www.keycloak.org

  7. • Keycloak https://www.keycloak.org/ • Keycloak Token Exchange https://www.keycloak.org/securing-apps/token-exchange • Keycloak

    at KubeCon India https://www.keycloak.org/2025/06/keycloak-kubecon25-india-announce Links

  8. Contact Alexander Schwartz Principal Software Engineer [email protected] https://www.ahus1.de @ahus1.de @[email protected]