20

Who knows how to obtain the id_token with Keycloak?

I have been working with Keycloak in Java (Spring, JEE) and postman.

The basics work fine but I need the id_token since there are some claims that they are not present in the access_token but they are present in the id_token.

Using the keycloak-core library I could obtain the Keycloak context, but the id_token attribute always is null.

Some idea?

Gal Margalit
  • 5,525
  • 6
  • 52
  • 56
Pablo Bastidas
  • 608
  • 1
  • 6
  • 17
  • `I have been working with Keycloak in Java (Spring, JEE) and postman.` @Pablo which Keycloak Adapter are you using? Did you take a look at official documentation regarding [Security Context](http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/java/adapter-context.html) ? – lazyneuron Mar 16 '18 at 14:50
  • Hi, thanks for your comment, I tried with Spring Adapter, Wildfly Adapter, and I tried to get the id_token through http calls, I checked in the official documentation but I could not find any regarding id_token or how to configure to get it in the `/token` response. – Pablo Bastidas Mar 16 '18 at 15:06
  • I guess the access token and id token are equivalent here. You can still add custom claims if you want to: https://stackoverflow.com/questions/32678883/keycloak-retrieve-custom-attributes-to-keycloakprincipal – Aritz Mar 16 '18 at 19:04
  • 1
    Not really, the access token and id_token could not have the same information, sometimes the `id_token` is used to sensitive information and that is the requirement that I have now. – Pablo Bastidas Mar 16 '18 at 19:49

3 Answers3

23

If you are using keycloak version 3.2.1, then below mail chain will help you. Hi All

I am using below curl command   

curl -k  https://IP-ADDRESS:8443/auth/realms/Test123/protocol/openid-connect/token -d "grant_type=client_credentials" -d "client_id=SURE_APP" -d "client_secret=ca3c4212-f3e8-43a4-aa14-1011c7601c67"

In the above command's response id_token is missing ,which is require for kong to tell who i am?

In my keycloak realm->client-> Full Scope Allowed ->True

Ok I found it we have to add 

scope=openid

 then only it will work 

Subodh Joshi
  • 12,717
  • 29
  • 108
  • 202
  • Thanks, your answer helped me a lot, I just added 1 think `realm->client->Service Accounts Enabled ->True`. With this I can obtain the `id_token` in token endpoint – Pablo Bastidas Mar 18 '18 at 18:03
11

I had the same thing with Keycloak 3.4.3 version.

I added scope=openid to my request as Gal Margalit mentioned in his answer and it works.

Here is my request:

curl -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "scope=openid" -d "grant_type=password" -d "client_id=test" -d "username=test@test.hr" -d "password=test" 'https://YOUR-DOMAIN/realms/test123/protocol/openid-connect/token'

AntoineB
  • 4,535
  • 5
  • 28
  • 61
Amin
  • 111
  • 1
  • 3
4

In keycloak 2.x the id_token was inside the returned token object.
They removed it in keycloak 3.x.
just add to your request the following:

scope: "openid"

as listed below to retain the id_token

http://lists.jboss.org/pipermail/keycloak-user/2018-February/013170.html

Gal Margalit
  • 5,525
  • 6
  • 52
  • 56