OAuth2 (Keycloak): client_credentials grant type additional claims
I have a scenario wherein there are multiple apps/service that need to access my Resource:
These are the three external services: service1, service2, service3.
Now I am using the client_credentials grant type for this since this is machine to machine and no user is involved.
What I did is to create 1 client for each service in Keycloak. It works fine, however I need to add some more details in the token, in particular, a human readable name for each client as the client id is named using the recommended naming.
I know how to map user claims to the token, but is it possible to have something similar for my scenario wherein there are no users and I only have the clients?
Yes, go to the Realm of your app, then:
- Go to Clients;
- Select your client;
- Select Mappers;
- click on the button
[Create]; - select
Hardcoded ClaimasMapper Type; - fill up the details of the claim
Click [Save].
Update answer with more detail
I know how to map user claims to the token, but is it possible to have something similar for my scenario wherein there are no users and I only have the clients?
Yes, you need to create 'Hardcoded Claim Mapper.
For that:
- Select the
realmof your app - Go to
clients - Select the appropriate
clientfor your use-case
(For the OLD Keycloak UI)
- Go to
Mappers - Click
Create - In
Mapper typeselectHardcoded claim - Fill up the details of the claim, accordingly.
- Click on
Save
(For the NEW Keycloak UI)
- Go to the tab
Client Scopes - Click on the client scope
<the client ID of your client>-dedicated(e.g., test-dedicated in the picture below)
- Click on
Configure a new mapper(orAdd Mapper>By configurationif you have already created mappers before for this client)
- Select
Hardcoded claim - Fill up the details of the claim, accordingly.
- Click on
Save
The client will be the client that you are using to authenticate against.
- Where can I find a list of scopes for Google's OAuth 2.0 API?
- Using ASP.Net Core Identity in parallel with OpenIdConnect OAuth2
- Spring security JWT without OAuth
- Add OAuth authentication for HTTP request triggers
- Get email, phone, etc from OAuth2 login
- BFF pattern for native apps in OAuth 2.0?
- Why is PKCE `code_verifier` calculated server-side in BFF pattern?
- Apache strips down "Authorization" header
- Fake Firebase Auth Tokens for Test Environment
- 3rd party cookies in Android 14/New Chrome using Angular/Firebase Auth/Hosting and NodeJs in Server
- Access Not Configured for Google OAUTH Login
- Authenticating to Microsoft 365 SMTP servers via OAuth2 only works for users without MFA
- Getting user data through an Azure AD OAuth login - React Native Expo App
- Callback github URI with Oauth2 and Spring Boot 3.4.0 not found after authentication
- spring oauth client (v6.4.2): does not redirect to oauth-server
- NextJs: server component vs server action
- Why Does OAuth v2 Have Both Access and Refresh Tokens?
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- DelegateAuthenticationProvider not found after updating Microsoft Graph
- How to generate and pass CSRF token for a route in spring cloud gateway with Spring Security
- How to set up an (Azure) OAuth2 application for personal Outlook.com accounts (Exchange) for usage with exchangelib?
- Is there a raw Http request way of OAuth2ing with Google?
- What is the purpose of the 'state' parameter in OAuth authorization request
- AWS API Gateway Access vs Id Token
- How to use the Requests OAuthlib with grant-type 'Client Credentials'?
- What is the purpose of a "Refresh Token"?
- Where to store the refresh token on the Client?
- Configuring spring-boot-starter-oauth2-client to authenticate with Azure AD
- Is possible to create a role based application with OAuth2?
- Cognito: User Pool Client OAuth Scope Limitation