Keycloak - Access Tokens (RPT, PAT, OTHERS) - With Usage Example

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
praise the lord good people i'm happy to be back with another kick lock tutorial and i'm happy to be sharing this one specifically uh with you uh we're going to be talking about access tokens within a kick lock kick clock has a number of access tokens such as the requesting party token abbreviated as rfpt the protection api token abbreviated as p-80 and then the other ordinary token access token i don't have a name for that but allow me call it the bearer token do i think even these others are type bearer um correct me if i'm wrong in the comments section i'd love to hear from you but without further ado let's jump right into it yes so uh what do we have here um i have a use case for you because i thought as opposed to just giving you you know a textbook definition of what prt rpt tokens is uh i thought a use case would be more proper for us to you know to understand and i relate to the concepts because uh personally you know i've also had a bit of a rough time not really so rough but yeah i had a bit of a learning curve trying to you know understand the different tokens in kick clock and what each one of them does so with this use case i hope to be clearer even though you might be hearing this for the very first time so we have a user our customer down here who wants to access one of our services via a web browser here this is our beautiful login page and um the services which are over here resource server one so seventy uh behind an authentication server so the services here cannot be accessed unless you've been authorized to do so so this user has to be logged in and verified before we can give them access to our our resources yeah so uh let's look at the first token so i'll in quick look lingo when you log in using the username or the password grant by providing the username and your password key clock responds back to you the authentication server key clock will respond back to you with an access token which i'm choosing to call a bearer token yeah so the first step is uh you logging in and you're getting back a token so uh you have i have my postman open here to show you what's happening in the diagram back here so the first request is a login request and these are these are the values that it takes this is of grant type password and then you're providing a username and a password and stating the client id we've talked about clients in kick clock if you don't know what this is please refer to some of my older tutorials on this yes so you provide a username a password and then you're calling that token endpoint um i'm using environmental variables in postman but on the side here i just gave an example of what the endpoints are so that we are not we are on the same page so you will in your installation you will have something like this definitely with uh with the ip here or the the domain name and then uh what that thing that changes is also the room name your name name not the master ram yeah you can use the master ram but it's discouraged you described from using the master ram you encourage to always create your own ram where your clients are going to be yeah so give it a call name and then change this that's for the token then we shall see this later yes so uh by supplying this then you've created a user who has a username again if you want to see how to create users you will watch some of my other tutorials send a request we have a response back so this is our response looks like we have an access token and a few a refresh token down here and a few other you know parameters down there so this token is what i was talking about when i saying when i say that when you provide your username and password and you call key clock for for authentication yeah this is what you get back as the access token and uh maybe the other thing to note is uh i'll log in to my key clock here okay slogan yes so let's look at our clients um in some of the values that we are providing is the client id this lender's rest so i wanted to show you what that is learners rests is this and it's a client or a resource server but what's unique about this one is the access type it's a public one so it's a public one and we have the dialect that direct access grants enabled so this allows us to you know to use that username and password values and to use the password credentials grant for us to be able to authenticate with uh kick clock this is there are other access types like confidential we'll see this because uh in our setup here this first resource server here has a note down here public client but then we have this other resource servers and the confidential client there is a difference and this is how the public one is configured you have to choose public and for the confidential ones we'll say will not dive deep into what exactly they do and the differences but uh yeah i'll just give a little overview yes so um where are we so we've gotten our token back so this is the first kind of token i refer to this as uh as the ordinary token the ordinary bearer token let's go to you need to check out what's inside this token so it's a jwt compliant token yeah so if you go over to jwt dot io and then paste it here on the left to be decoded for you and you can see a couple of information so yeah in this token yeah there is uh it's bearer uh this is our client lenders rest you have a bunch of roles here uh yes roles there and then uh you know the name the preferred name the username the email yeah so you have this information uh but uh if you're to call a confidential client there's more information that you need that is not within this token so that takes us to that second kind of token which is called the rpt token so on on our use case here after you've authenticated with key clock and you've gotten a response back the bearer token the third request is your request for service from your browser because you have a token in the browser so you're requesting you're sending a token to the resource server and you're requesting for a service so uh in my setup i have this public client that is you know accessible by it's a public one so it's accessible by a web browser by mobile application so and i'm using this public client or resource i will use the words client resource server interchangeably because they mean one at the same thing yes so i'm using this public client or resource server to request key clock to exchange for me number one to verify the token that i received that's authentic it's key clock that uh issued this token this key clock server mine is the one that issued this token so he has to keep clock has to verify this and then secondly i'm requesting kick clock to exchange for me this bearer token and give back an rrpt token rfpt token is the requesting party token because uh in the subsequent requests when you try to access any of the resources the confidential clients you cannot use this normal token that we saw earlier you have to use what we call an rrpt token to access a confidential client when you're requesting for a service so that's why we have this resource service and it's uh it's used mainly just to you know verify the token exchange the bearer token from the from the browser for an rpt which i never sent back to to the user this rfpt is sent to the resource server to verify to to verify an authentic not authenticated to to grant service for my request so let's do it here uh pop let me show you one other thing um i have a simple script here that whenever i run this uh it's setting my environmental variables it's setting the bearer token environmental variable and the refresh token environmental variable cause in the next request when i'm requesting for an rp to remember we are exchanging albera token for another pt token and authorization tab i have to give it the bearer token that i received from my login request so supply to the bearer token which is also an environmental variable there and uh the other the other fields that you have to you know to to to give as you send your request is the audience or the client for which you want this rrpt remember we have multiple clients back here i have so server and so so but you can have so many resource servers and this can represent your micro profiles if you're coming from the java world or they could represent uh yeah services different services you know that you have on your server so get the bearer ordinary token first then tell us which client and then the grant type is this yes copy it as is and then send your request so we have our response back here it looks like the former response but they're different this now is another pt inside this access token we have another pt or a requesting party token let's copy it go over to jwt let me just spin up another tab so that you can see the difference in these tokens first the token here yeah so some of the information is the same information that we have in this other token here that we decoded but you realize that is a bit of extra information we didn't have this we didn't have this over here it's just resources we don't have this authorization so authorization again i've talked about this in my other tutorials when i was talking about resources and how to protect resources so under authorization we have our resources and the different scopes like for example we have this resource called tax obligation resource and with this resource this resource has a uri or url behind it but it's not shown here but i'll show you how to get that i guess you want to see that um and then we have the different scopes all the what we are able to do on this resource we can modify this resource we can view we can create and by way i mean this user here this user here identified by this email here is able to do this so this is i can't delete this resource has delete but you can't see delete under their scopes because they don't have the delete rights yes so uh under key clock uh another thing to note is the audience we said audience was lenders remember we authenticated with uh we authenticated via this resource server which was called lender's rest but then um we got another pt for this other client which is called lenders so login uh where are we let me log in and show you that client this is the client here and you realize that the access type here is also different confidential clients require secret to initiate login protocol la la la yeah so it's not public but it's confidential and then we have service accounts enabled and then we have authorization enabled with authorization enabled we are able to see the other information that we saw this information that we saw in our token this authorization information here yeah so this is a different client and actually this client has a number of uh yeah as more staff is just this tab that is not available for the public client and then under resources this is the resource that you're seeing you know for and the only the reason why you can only see because i have two resources here but you only think this is because the client or the user that is logged in on is only allowed to access this resource so you won't be able to have this in the token and uh you're seeing that they have been numb it has a number of other scopes or permissions which are not available for that user that is specifically that delete one okay so that's the and a few other things here which i won't go into because i already covered these in my other tutorials now let's jump back here so we've got an rpt we have our rpt token i've shown you how it looks like uh let's now look at the third token yes so uh the third token is the p80 or the uh protection api token uh maybe to uh throw a little more light on the rpt before we move uh just bit of a recap after you've exchanged your bearer token or your normal order token for another pt token you're now able to forward the request to the specific server for which the rfpt token was received and then this server okay there should be another arrow here pointing to to key clock because this is connected to key clock to verify the rfpt token that you've sent it but it's authentic and then that's when you receive a service for that resource that you've requested for and this can be multiple resource servers here configuration okay with that out of the way let's look at the rpt token add that prt token which is not within our use case here because this use case is done but which can be uh useful for other things i would add it here so that you know what it exactly does so the rrpt token takes uh just the client id for which you want the protection api token and then the client secret these values are member meta bibles that's why you can't see them and then the grant type is client credentials so that's all you need you don't have to have anything this side you just need this when you send your request to send you back the p80 let's see how it looks like before i tell you what it does let's fire up another browser tab okay [Music] yes so this is the p80 uh token it has a little more you know more information i think it also doesn't have doesn't have the authorization information i just have a couple other things but uh there's also this rule it's important this scorpio this scope is for that beauty token uh there's nothing much i don't understand some of the things here yeah but uh i'll tell you what its use is because i think you're more interested in that yeah so uh there remember when uh when we looked at the p80 token i told you that this is a this is a resource id this is a resource name but we don't have any more information about this resource we don't have the url the other uri you can access that information from the client using a pat or a protection api token so i have another request here um the end point looks like this of course change this to your ip or your domain name and change the school name of the cool url cool realm name change this to your realm name and then the rest stays the same then make a call yes what we have here we have resources if you look at this id you realize that it looks like this id here it's the same so this request returned uh back the other resources that are available in that client or resource server uh which one this one here this client here so excuse me yes so um it returns for us it returns for us over all the available resources so yeah you may be like ah this doesn't give a lot of information yeah i know but um there's something we can do to resolve that the few other you know params that uh these same requests it takes but that omitted them out here for brevity but i'll show them here so if you add this dip is equal to true then it goes in deep to give you a little more detail on the resources that are being returned so let me run this the same request as the other but i've just added this just this only so but the rest is the same yeah so let me run this yeah voila now we have the same id here but now they've given us the uri what the uri is and also we have the scopes the different scopes under this resource then the the type of resource who the owner is whether it's owner managed accessible yeah we have that information then uh there's this other parameter this last one here scope is equal to create uh you excuse me here um this first one here if you don't provide the parameters if you're not filtering anything to return for you all the resources all the resources in other clients but then here you can come and uh restrict this to just the lender's client owner is called lenders and to just bring for you only the lenders resource resources yeah so if i remove scope and i call this again okay our pat has expired let's get it again yeah so it's bringing for me two resources this one here which only has viewscope and this second one here which has the dyna scopes but here previously i limited it to scope is going to create and since we don't have create here that's why it was only returning just this which has create if i confuse it and put something like that then it's going to return for me nothing because there's not there's no such scope in our resources yes and uh also the lastly remember all these are using that prt the prt token that we receive we are setting it here and if you check in the authorization it's what we are using here so this last one um you can get a resource by its id yeah by using the id just up in the id the resource id here if you want to get just one resource by its id yes i know this has been a bit long but i wanted to cover all this and i hope um i've hoped you understand some of the you know principles uh behind the kick clock access tokens and i hope we've learned something so let's meet in the next tutorial god bless you bye
Info
Channel: Arthur D. Mugume
Views: 7,650
Rating: undefined out of 5
Keywords:
Id: M8ym5UwnnZg
Channel Id: undefined
Length: 25min 30sec (1530 seconds)
Published: Fri Apr 22 2022
Related Videos
Keycloak Intro
Stian Thorgersen
194K
Difference between cookies, session and tokens
Valentin Despa
542K
Securing Spring Boot Microservices with Keycloak using OpenID | OAuth2.0 | JavaTechie
Java Techie
113K
ID Tokens VS Access Tokens: What's the Difference?
OktaDev
127K
Keycloak Is AWESOME! Single Sign On Made Easy!
Jim's Garage
52K
Data Analysis with Python for Excel Users - Full Course
freeCodeCamp.org
1.9M
Keycloak - Creating Users - Administration REST API
Arthur D. Mugume
28K
What Is Single Sign-on (SSO)? How It Works
ByteByteGo
503K
Session vs Token Authentication in 100 Seconds
Fireship
960K
KEYCLOAK REALMS - what they really are & how to use them for Multi-Tenancy | Niko Köbler (@dasniko)
Niko Köbler (@dasniko) - Keycloak Expert
7.9K
What is an API?
MuleSoft Videos
5M
Single Sign-On with Spring Boot & Okta | OAuth 2.0 | Java Techie
Java Techie
84K
Keycloak REST API with Postman
hexaDefence
43K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.