6

I have a secured architecture with Keycloak (see Securing thorntail service with KEYCLOAK for schema). It works well. But now, I can't figure out how to make service A getting some info from secured Service B, alone.

If the flow is FrontEnd (authenticated, so has a token) / service A / secured Service B then Ok, A access B. But, for example first time in the morning (@startup) service A needs to get some infos from service B, no token to forward ... how to do it ?

Lbro
  • 309
  • 2
  • 16

1 Answers1

7

Client Credentials Flow is what you need. https://www.keycloak.org/docs/latest/authorization_services/#_service_protection_permission_api_papi

curl -X POST \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'grant_type=client_credentials&client_id=${client_id}&client_secret=${client_secret}' \
    "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"

This is from keycloak documentation (https://www.keycloak.org/docs/latest/authorization_services/#_service_protection_permission_api_papi).

Check also this: https://auth0.com/docs/flows/concepts/client-credentials

andrija
  • 1,057
  • 11
  • 21
  • Thx. So if I understand well, in the service A, at startup I should get a token with a POST, and then use it for the further requests ? What troubles me, is that it's seems to me so low level ; isn't it managed in some way by the keycloak-microprofile-jwt fraction ? – Lbro May 14 '20 at 20:18
  • It doesn't have to be on startup. I fetch tokens the first time I need them. You can put access token in cache and when it expires just fetch the new one. Also you have to handle token expired exception and fetch new token when you get it. – andrija May 15 '20 at 08:25