Closed karlTGA closed 4 years ago
Hi @karlTGA
openid-client
thrives to implement standards, keycloak's bearer token authentication at the token_endpoint
is not standard. As such it won't satisfy this requirement with an out of the box API support.
That's not to say you are not able to satisfy it with its existing API already. You can for instance use the HTTP Request Customization to execute such grant with a bearer token.
const { custom } = require('openid-client');
client[custom.http_options] = (opts) => {
if (opts.url === issuer.token_endpoint && opts.body.access_token) {
const { access_token } = opts.body;
delete opts.body.access_token;
opts.headers = opts.headers || {};
opts.headers.Authorization = `Bearer ${access_token}`;
}
return opts;
}
//
client.grant({
grant_type: 'urn:example:foo:bar',
access_token: accessTokenValue,
});
Hi @panva,
thank you for the fast and capable help. That works for me. I have to admit that I still can't see through what is standard for OpenId and what is not. ^^
Is your feature request related to a problem? Please describe. I use the openid-client to handle authorization and authentication with keycloak. At this moment I try to check permissions of a user. Usually I can make a post request to the token endpoint with the access token of the user as bearer token. Until now I found no way how to authenticate with an access_token. Instead the client use the client_secret and the client_id.
Describe the solution you'd like Maybe a good solution is, that i can add an access_token to the grant method optional like so:
client.grant(body, access_token)
.Additional context In the keycloak docs are some examples how the expect the permissions requests. https://www.keycloak.org/docs/latest/authorization_services/#_authentication_methods