Simplest way to get current user logged in Keycloak

Question

I have implemented a really simple keycloak integration on my maven java web app. Assuming I am calling a url directly for the keycloak log in page . After entering my username & password on success i am being redirected on mypage.html , the url is like this If I break this down its What would be the simplest -

Accepted Answer

Looking at the requests you have made you have not completed the OIDC code flow.I&#8217;m assuming that your java application is acting as the OIDC client, in which case it will need to exchange the authorization code for access, id and refresh tokens by calling the token endpoint of your realm.e.g.POST /auth/realms/mmyrealm/protocol/openid-connect/token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JWgrant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient.example.org%2FcbA description of the Token RequestThe simplest way would be to use a Java OIDC Client or OAuth2 client to do the authorisation and cod exchange for you and provide OAuth2/OIDC token primitives for you to code against.Have a look at:Scribe Java OAuth2 clientNimbus OIDC SDKThe details of the user will be in claims within the tokens returned by the token endpoint, if you are including the user claims in your tokens.Edit:The OIDC Authorization code flow is one of the OIDC authorisation flows. It provides the benefit of not exposing any of the actual tokens to the user agent &#8211; e.g. web browser &#8211; and allows the oidc client to authenticate with the token server before exchanging the code for the OIDC tokensAt a high level the following occurs:OIDC Client makes an authentication requestClient authenticates &#8211; this could be an end userAuthorisation server returns an Authorisation code &#8211; on a redirect &#8211; to the clientOIDC Client retrieves Access, ID and Refresh Tokens from the authorisation server&#8217;s token endpointIf needed User info is retrieved from the UserInfo endpoint or thge access token is inspected using the introspect endpointDetails of the actual user will be in claims with in the ID token, which is a plain JWT.Keycloak allows you to embed the claims in the Access token too.After authentication with Keycloak you will be redirected back to your web applications redirect URI.As per your breakdownhttp://localhost:8080/mypage.html?session_state=c9482da3-50ff-4176-bf3c-54227271c661&code=5d4aebda-54d8-41ad-8205-c4d7e021770f.c9482da3-50ff-4176-bf3c-54227271c661.d5c1b6ac-c427-46da-8509-f2689849103bYour requst handler will need to extract the code from that request and then make another call to keycloak to exchange the authorisation code for Access, ID and refresh tokense.g.POST /auth/realms/myrealm/protocol/openid-connect/token HTTP/1.1Host: localhost:8180ContentType: application/x-www-form-urlencodedAuthorization: <whatever method your oidc client is usingLgrant_type=authorization_code&code=5d4aebda-54d8-41ad-8205-c4d7e021770f.c9482da3-50ff-4176-bf3c-54227271c661.d5c1b6ac-c427-46da-8509-f2689849103b&client_id=myclientid&redirect_uri=....Ideally you have a route handler for accepting the tokens &#8211; maybe a tokens enpoint that also accepts query parameters that indicate the original uri requested so that you can redirect back to that if this is a user facing web application.If it is completely programatic then you can achive all of it using the nimbus sdk.The has a good summary of the various parts of Authorization Code flowhttps://rograce.github.io/openid-connect-documentation/explore_auth_code_flow

Advertisement

Answer