OAuth2 (Keycloak): client_credentials grant type additional claims
I have a scenario wherein there are multiple apps/service that need to access my Resource:
These are the three external services: service1, service2, service3.
Now I am using the client_credentials grant type for this since this is machine to machine and no user is involved.
What I did is to create 1 client for each service in Keycloak. It works fine, however I need to add some more details in the token, in particular, a human readable name for each client as the client id is named using the recommended naming.
I know how to map user claims to the token, but is it possible to have something similar for my scenario wherein there are no users and I only have the clients?
Yes, go to the Realm of your app, then:
- Go to Clients;
- Select your client;
- Select Mappers;
- click on the button
[Create]; - select
Hardcoded ClaimasMapper Type; - fill up the details of the claim
Click [Save].
Update answer with more detail
I know how to map user claims to the token, but is it possible to have something similar for my scenario wherein there are no users and I only have the clients?
Yes, you need to create 'Hardcoded Claim Mapper.
For that:
- Select the
realmof your app - Go to
clients - Select the appropriate
clientfor your use-case
(For the OLD Keycloak UI)
- Go to
Mappers - Click
Create - In
Mapper typeselectHardcoded claim - Fill up the details of the claim, accordingly.
- Click on
Save
(For the NEW Keycloak UI)
- Go to the tab
Client Scopes - Click on the client scope
<the client ID of your client>-dedicated(e.g., test-dedicated in the picture below)
- Click on
Configure a new mapper(orAdd Mapper>By configurationif you have already created mappers before for this client)
- Select
Hardcoded claim - Fill up the details of the claim, accordingly.
- Click on
Save
The client will be the client that you are using to authenticate against.
- Error 400: invalid_scope with Postman and Google OAuth2
- PHP - How to get OAuth 2.0 Token
- UPS Outh Rating API return Invalid Authentication Information
- How to store sensitive data in React Native or expo code ? ( with Keychain and Keystore )
- How to get Optum sandbox to authenticate with OAuth 2.0 using Java and okhttp
- Spring Boot redirection back to login page
- New Google place api using google OAuth, ask failed to refresh token
- Getting OAuth code challenge on loopback server
- How do I solve audience (aud) invalid claim error for downstream api service?
- oauth 2 parameters can only have a single value: scope
- #oauth2 security expressions on method level
- Calling spring authorization server OAuth2 REST endpoints
- Google AdWords API authorization raising AdsCommon::Errors::AuthError
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Passport - Node.js not returning Refresh Token
- AWS Cognito: Missing Scopes in Access Token with Custom UI and Device Remember Functionality for MFA
- Cross-client Google OAuth: Get auth code on iOS and access token on server
- How to generate GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET without a domain?
- Spring Gateway and OAuth
- OAuth Client Credential Flow - Refresh Tokens
- Django OAuth2 Authentication Failing in Unit Tests - 401 'invalid_client' Error
- Add OAuth authentication for HTTP request triggers
- OAuth2 implementation and user management Django
- How to enable a submit button if form fields are auto-filled by the browser using saved credentials on page load?
- AADSTS70000 Error When Requesting for Access Token
- Is storing an OAuth token in cookies bad practice?
- Spring OAuth2 client performs Back-Channel Logout with an expired ID token
- I/O error on GET request for "https://localhost/application/o/{name}/.well-known/openid-configuration": Connection refused
- Restrict Microsoft Azure App OAuth2.0 to Internal Users
- How can I "Get Microsoft Teams Users" Using of Microsoft Graph API