panva
commented
4 years ago Hi @karlTGA
openid-client thrives to implement standards, keycloak's bearer token authentication at the token_endpoint is not standard. As such it won't satisfy this requirement with an out of the box API support.
That's not to say you are not able to satisfy it with its existing API already. You can for instance use the HTTP Request Customization to execute such grant with a bearer token.
const { custom } = require('openid-client');
client[custom.http_options] = (opts) => {
if (opts.url === issuer.token_endpoint && opts.body.access_token) {
const { access_token } = opts.body;
delete opts.body.access_token;
opts.headers = opts.headers || {};
opts.headers.Authorization = `Bearer ${access_token}`;
}
return opts;
}
//
client.grant({
grant_type: 'urn:example:foo:bar',
access_token: accessTokenValue,
});
karlTGA
Is your feature request related to a problem? Please describe. I use the openid-client to handle authorization and authentication with keycloak. At this moment I try to check permissions of a user. Usually I can make a post request to the token endpoint with the access token of the user as bearer token. Until now I found no way how to authenticate with an access_token. Instead the client use the client_secret and the client_id.
Describe the solution you'd like Maybe a good solution is, that i can add an access_token to the grant method optional like so:
client.grant(body, access_token).Additional context In the keycloak docs are some examples how the expect the permissions requests. https://www.keycloak.org/docs/latest/authorization_services/#_authentication_methods