[英]Refresh access_token via refresh_token in Keycloak
I need to make the user keep login in the system if the user's access_token
get expired and user want to keep login.如果用户的
access_token
过期并且用户想保持登录,我需要让用户在系统中保持登录。 How can I get newly updated access_token
with the use of refresh_token
on Keycloak ?如何在Keycloak上使用
refresh_token
获取新更新的access_token
?
I am using vertx-auth for the auth implementation with Keycloak on vert.x .我在vert.x上使用vertx-auth通过Keycloak进行身份验证实现。 Is it possible to refresh
access_token
with vertx-auth or Keycloak 's REST API itself?是否可以使用vertx-auth或Keycloak的 REST API 本身刷新
access_token
? Or what will be another implementation of this?或者这将是另一种实现方式是什么?
keycloak has REST API for creating an access_token
using refresh_token
. keycloak 具有用于使用
refresh_token
创建access_token
REST API。 It is a POST endpoint with application/x-www-form-urlencoded
它是一个
POST endpoint with application/x-www-form-urlencoded
的POST endpoint with application/x-www-form-urlencoded
Here is how it looks:这是它的外观:
Method: POST
URL: https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/token
Body type: x-www-form-urlencoded
Form fields:
client_id : <my-client-name>
grant_type : refresh_token
refresh_token: <my-refresh-token>
This will give you new access token using refresh token.这将使用刷新令牌为您提供新的访问令牌。
NOTE: if your refresh token is expired it will throw 400 exception in that you can make user login again.注意:如果您的刷新令牌已过期,它将抛出 400 异常,您可以再次让用户登录。
Check out a sample in Postman, you can develop and corresponding API using this.查看 Postman 中的示例,您可以使用它开发和相应的 API。
I tried with 4.8.2.Final, it gives following unauthorized_client
even with previous access token as 'Bearer'.我尝试使用 4.8.2.Final,即使以前的访问令牌为“Bearer”,它也会提供以下
unauthorized_client
的客户端。 Then I tried with Basic YXBwLXByb3h5OnNlY3JldA==
in Authorization header.然后我尝试在 Authorization 标头中使用
Basic YXBwLXByb3h5OnNlY3JldA==
。 Then it worked, But still I'm not sure that I am doing right thing.然后它起作用了,但我仍然不确定我做对了。
Extending Yogendra Mishra's answer.扩展 Yogendra Mishra 的回答。 Note that
client_id
and client_secret
can also be sent in Authorization header.注意
client_id
和client_secret
也可以在Authorization header中发送。
Authorization: Basic ${Base64(<client_id>:<client_secret>)}
This works for both initial token call (without refresh token) and refresh token call to /openid-connect/token
endpoint这适用于初始令牌调用(没有刷新令牌)和对
/openid-connect/token
端点的刷新令牌调用
Reference: https://developer.okta.com/docs/reference/api/oidc/#client-secret参考: https://developer.okta.com/docs/reference/api/oidc/#client-secret
@ maslick is correct you have to supply the client secret too, no need for authorization header in this case: @ maslick是正确的,您也必须提供客户端机密,在这种情况下不需要授权标头:
http://localhost:8080/auth/realms/{realm}/protocol/openid-connect/token http://localhost:8080/auth/realms/{realm}/protocol/openid-connect/token
In case of expired refresh token it returns:如果刷新令牌过期,它将返回:
If you don't add the secret you get 401 unauthorized even though the refresh token is correct如果您不添加密码,即使刷新令牌正确,您也会获得 401 未授权
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.