67

I need to make the user keep login in the system if the user's access_token get expired and user want to keep login. How can I get newly updated access_token with the use of refresh_token on Keycloak?

I am using vertx-auth for the auth implementation with Keycloak on vert.x. Is it possible to refresh access_token with vertx-auth or Keycloak's REST API itself? Or what will be another implementation of this?

RaiBnod
  • 2,141
  • 2
  • 19
  • 25

4 Answers4

153

keycloak has REST API for creating an access_token using refresh_token. It is a POST endpoint with application/x-www-form-urlencoded

Here is how it looks: 

Method: POST
URL: https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/token
Body type: x-www-form-urlencoded
Form fields:    
client_id : <my-client-name>
grant_type : refresh_token
refresh_token: <my-refresh-token>

This will give you new access token using refresh token.

NOTE: if your refresh token is expired it will throw 400 exception in that you can make user login again.

Check out a sample in Postman, you can develop and corresponding API using this.

Sample in Postman

azro
  • 53,056
  • 7
  • 34
  • 70
Yogendra Mishra
  • 2,399
  • 2
  • 13
  • 20
  • 6
    I tried this with `2.5.4` and it still requires the client secret for this request. It makes now sense though as to why the client secret will be required if the refresh token is being provided. – rrrocky Dec 13 '18 at 06:42
  • 9
    The client secret is required only if it is a *confidential* client. *Public* clients do not require the client secret. – rrrocky Dec 13 '18 at 08:45
  • 9
    Can someone explain why the client secret is required when refreshing a token for a confidential client? – Kimble Dec 21 '18 at 08:42
  • 1
    @all ,Why refresh token is jwt format? stateless but google and auth0 use stateful. – Panup Pong Sep 12 '19 at 10:51
  • 1
    @Kimble _confidential client_ in Keycloak is meant to server applications, where storing a client secret is secure. Take a look on the docs (here)[https://www.keycloak.org/docs/6.0/server_admin/#oidc-clients] – asd123ea Aug 20 '20 at 20:09
  • Hi all, I know it's old but I want to ask a bit. I use login phase to get the init token with aud=app1 for example. But when the token is expired, I tried and to refresh the token by calling http://{uri}/realms/{my_realm}/protocol/openid-connect/token, and the result I get the token with different aud, like aud=app2. So how can It be and how can I change app2 to app1, thanks! – iamatsundere181 Jan 11 '21 at 10:24
  • @BasselKh so client secret is not needed? If so may I ask your client configuration? Thanks – Matteo Aug 17 '21 at 13:48
  • 1
    @Matteo : grant_type: refresh_token , client_id: your client id , refresh_token: the original refresh token – Bassel Kh Aug 17 '21 at 16:17
  • It seems this request also returns a new refresh token. Is this correct? If we want to renew an access token, the refresh token should be refreshed as well? Or the correct flow will be: use access tokens -> if access token expires: use refresh token to get new access token -> if refresh token expires: login and get new refresh and access token. By always creating a new refresh token, it seems that logout could never hapen. – Antonis S Dec 17 '21 at 12:24
  • Please add **client_secret** to the body – phancuongviet Dec 28 '22 at 08:24
6

@maslick is correct you have to supply the client secret too, no need for authorization header in this case:

http://localhost:8080/auth/realms/{realm}/protocol/openid-connect/token

enter image description here

In case of expired refresh token it returns:

enter image description here

If you don't add the secret you get 401 unauthorized even though the refresh token is correct

enter image description here

Khalifa
  • 107
  • 1
  • 4
  • 2
    I have just tested it, you only need the client secret if the client **that issued the token** is confidential – Matteo Aug 19 '21 at 00:35
1

I tried with 4.8.2.Final, it gives following unauthorized_client even with previous access token as 'Bearer'. Then I tried with Basic YXBwLXByb3h5OnNlY3JldA== in Authorization header. Then it worked, But still I'm not sure that I am doing right thing.

Sampath Nawgala
  • 11
  • 1
  • For the Authorization headers it all comes down to what the server is looking for in the header value. If this works then you're probably not incorrect. – charliebeckwith Jan 28 '19 at 05:45
  • 2
    You're probably using a confidential client, so you need to include ``client_secret`` in the request – maslick Feb 08 '19 at 15:12
  • 3
    why would anyone want to use refresh token if I have to pass client_secret for confidential client? IMO, Keycloak should return access_token just by passing client_id and refresh_token since it acts like a secret. – ganesan arunachalam May 20 '20 at 13:30
1

Extending Yogendra Mishra's answer. Note that client_id and client_secret can also be sent in Authorization header.

Authorization: Basic ${Base64(<client_id>:<client_secret>)}

This works for both initial token call (without refresh token) and refresh token call to /openid-connect/token endpoint

Basic auth1

don't need to send clientid and secret in body after setting auth headers

Reference: https://developer.okta.com/docs/reference/api/oidc/#client-secret

Abdul Rauf
  • 5,798
  • 5
  • 50
  • 70