在 Keycloak 中通过 refresh_token 刷新 access_token
[英]Refresh access_token via refresh_token in Keycloak
问题描述
I need to make the user keep login in the system if the user's access_token get expired and user want to keep login.
如果用户的access_token过期并且用户想保持登录,我需要让用户在系统中保持登录。 How can I get newly updated access_token with the use of refresh_token on Keycloak ?如何在Keycloak上使用refresh_token获取新更新的access_token ?
I am using vertx-auth for the auth implementation with Keycloak on vert.x .我在vert.x上使用vertx-auth通过Keycloak进行身份验证实现。 Is it possible to refresh access_token with vertx-auth or Keycloak 's REST API itself?是否可以使用vertx-auth或Keycloak的 REST API 本身刷新access_token ? Or what will be another implementation of this?或者这将是另一种实现方式是什么?
4 个解决方案
解决方案1
87 已采纳 2018-07-17 17:40:12
keycloak has REST API for creating an access_token using refresh_token . keycloak 具有用于使用refresh_token创建access_token REST API。 It is a POST endpoint with application/x-www-form-urlencoded它是一个POST endpoint with application/x-www-form-urlencoded的POST endpoint with application/x-www-form-urlencoded
Here is how it looks:这是它的外观:
Method: POST
URL: https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/token
Body type: x-www-form-urlencoded
Form fields:
client_id : <my-client-name>
grant_type : refresh_token
refresh_token: <my-refresh-token>
This will give you new access token using refresh token.这将使用刷新令牌为您提供新的访问令牌。
NOTE: if your refresh token is expired it will throw 400 exception in that you can make user login again.注意:如果您的刷新令牌已过期,它将抛出 400 异常,您可以再次让用户登录。
Check out a sample in Postman, you can develop and corresponding API using this.查看 Postman 中的示例,您可以使用它开发和相应的 API。
解决方案2
1 2019-01-28 05:38:56
I tried with 4.8.2.Final, it gives following unauthorized_client even with previous access token as 'Bearer'.我尝试使用 4.8.2.Final,即使以前的访问令牌为“Bearer”,它也会提供以下unauthorized_client的客户端。 Then I tried with Basic YXBwLXByb3h5OnNlY3JldA== in Authorization header.然后我尝试在 Authorization 标头中使用Basic YXBwLXByb3h5OnNlY3JldA== 。 Then it worked, But still I'm not sure that I am doing right thing.然后它起作用了,但我仍然不确定我做对了。
解决方案3
1 2022-02-10 13:39:33
Extending Yogendra Mishra's answer.扩展 Yogendra Mishra 的回答。 Note that client_id and client_secret can also be sent in Authorization header.注意client_id和client_secret也可以在Authorization header中发送。
Authorization: Basic ${Base64(<client_id>:<client_secret>)}
This works for both initial token call (without refresh token) and refresh token call to /openid-connect/token endpoint这适用于初始令牌调用(没有刷新令牌)和对/openid-connect/token端点的刷新令牌调用
Reference: https://developer.okta.com/docs/reference/api/oidc/#client-secret参考: https://developer.okta.com/docs/reference/api/oidc/#client-secret
解决方案4
0 2021-07-03 11:56:16
@ maslick is correct you have to supply the client secret too, no need for authorization header in this case: @ maslick是正确的,您也必须提供客户端机密,在这种情况下不需要授权标头:
http://localhost:8080/auth/realms/{realm}/protocol/openid-connect/token http://localhost:8080/auth/realms/{realm}/protocol/openid-connect/token
In case of expired refresh token it returns:如果刷新令牌过期,它将返回:
If you don't add the secret you get 401 unauthorized even though the refresh token is correct如果您不添加密码,即使刷新令牌正确,您也会获得 401 未授权
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.