0

I have the following KeyCloak Client config, to use pkce authentication flow:

Realm: REALM

Client ID:              pkce-client
Client Protocol:        openid-connect
Access Type:            public
Standard Flow Enabled:  ON
Valid Redirect URIs:    http://localhost:4200/ 

Advanced Settings:
Proof Key for Code Exchange Code Challenge Method: S256

When authenticating with flutter App with iOS Simulator via openid_client https://pub.dev/packages/openid_client like this

  authenticate() async {

    var uri = Uri.parse('http://$localhost:8180/auth/realms/REALM');
    var clientId = 'pkce-client';
    var scopes = List<String>.of(['profile', 'openid']);
    var port = 4200;

    var issuer = await Issuer.discover(uri);
    var client = new Client(issuer, clientId);

    urlLauncher(String url) async {
      if (await canLaunch(url)) {
        await launch(url, forceWebView: true);
      } else {
        throw 'Could not launch $url';
      }
    }

    var authenticator = new Authenticator(
        client,
        scopes: scopes,
        port: port,
        urlLancher: urlLauncher,
    );

    var auth = await authenticator.authorize();
    var token= await auth.getTokenResponse();
    return token;
  }

I get the following response: enter image description here

How do I get a new access token with the refresh token?

I tried:

POST http://localhost:8180/auth/realms/REALM/protocol/openid-connect/token
Content-Type: application/x-www-form-urlencoded
client_id: pkce-client
grant_type: refresh_token
refresh_token: "received refresh token"

but I get:

{"error":"invalid_client","error_description":"Invalid client credentials"}

How do I need to prepare the request to refresh the access token?

Thanks in advance

midi
  • 3,128
  • 5
  • 30
  • 47

1 Answers1

0

One cause of the problem could be that you need to include the client_secret as well in the request. This might be needed if the client is a "confidential" client.

Se the discussion here for further details. Refresh access_token via refresh_token in Keycloak

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • I am using pkce, so my client does not have client_secret. Do I need to retrieve the refresh token on another client that has a client_secret? I want to avoid having client_secret in the app. – midi Dec 12 '21 at 21:19
  • PKCE does not have anything to do with the client_secret? – Tore Nestenius Dec 13 '21 at 07:50
  • Access Type is public, so no client_secret is provided. – midi Dec 13 '21 at 11:21