Skip to content
Advertisement

Simplest way to get current user logged in Keycloak

I have implemented a really simple keycloak integration on my maven java web app. Assuming I am calling a url directly for the keycloak log in page .

http://localhost:8180/auth/realms/myrealm/protocol/openid-connect/auth?client_id=myclientid&response_type=code&scope=openid&redirect_uri=http//localhost:8080/mypage.html

After entering my username & password on success i am being redirected on mypage.html , the url is like this

http://localhost:8080/mypage.html?session_state=c9482da3-50ff-4176-bf3c-54227271c661&code=5d4aebda-54d8-41ad-8205-c4d7e021770f.c9482da3-50ff-4176-bf3c-54227271c661.d5c1b6ac-c427-46da-8509-f2689849103b

If I break this down its

http://localhost:8080/mypage.html?
session_state=c9482da3-50ff-4176-bf3c-54227271c661&
code=5d4aebda-54d8-41ad-8205-c4d7e021770f.c9482da3-50ff-4176-bf3c-54227271c661.d5c1b6ac-c427-46da-8509-f2689849103b

What would be the simplest – easiest way to get the user currently logged so i can display it’s name ?

Advertisement

Answer

Looking at the requests you have made you have not completed the OIDC code flow.

I’m assuming that your java application is acting as the OIDC client, in which case it will need to exchange the authorization code for access, id and refresh tokens by calling the token endpoint of your realm.

e.g.

POST /auth/realms/mmyrealm/protocol/openid-connect/token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb

A description of the Token Request

The simplest way would be to use a Java OIDC Client or OAuth2 client to do the authorisation and cod exchange for you and provide OAuth2/OIDC token primitives for you to code against.

Have a look at: Scribe Java OAuth2 client Nimbus OIDC SDK

The details of the user will be in claims within the tokens returned by the token endpoint, if you are including the user claims in your tokens.

Edit: The OIDC Authorization code flow is one of the OIDC authorisation flows. It provides the benefit of not exposing any of the actual tokens to the user agent – e.g. web browser – and allows the oidc client to authenticate with the token server before exchanging the code for the OIDC tokens

At a high level the following occurs:

  1. OIDC Client makes an authentication request

  2. Client authenticates – this could be an end user

  3. Authorisation server returns an Authorisation code – on a redirect – to the client

  4. OIDC Client retrieves Access, ID and Refresh Tokens from the authorisation server’s token endpoint

  5. If needed User info is retrieved from the UserInfo endpoint or thge access token is inspected using the introspect endpoint

Details of the actual user will be in claims with in the ID token, which is a plain JWT. Keycloak allows you to embed the claims in the Access token too.

After authentication with Keycloak you will be redirected back to your web applications redirect URI.

As per your breakdown

http://localhost:8080/mypage.html?
session_state=c9482da3-50ff-4176-bf3c-54227271c661&
code=5d4aebda-54d8-41ad-8205-c4d7e021770f.c9482da3-50ff-4176-bf3c-54227271c661.d5c1b6ac-c427-46da-8509-f2689849103b

Your requst handler will need to extract the code from that request and then make another call to keycloak to exchange the authorisation code for Access, ID and refresh tokens

e.g.

POST /auth/realms/myrealm/protocol/openid-connect/token HTTP/1.1
Host: localhost:8180
ContentType: application/x-www-form-urlencoded
Authorization: <whatever method your oidc client is usingL
grant_type=authorization_code&
code=5d4aebda-54d8-41ad-8205-c4d7e021770f.c9482da3-50ff-4176-bf3c-54227271c661.d5c1b6ac-c427-46da-8509-f2689849103b&
client_id=myclientid&
redirect_uri=....

Ideally you have a route handler for accepting the tokens – maybe a tokens enpoint that also accepts query parameters that indicate the original uri requested so that you can redirect back to that if this is a user facing web application. If it is completely programatic then you can achive all of it using the nimbus sdk.

The has a good summary of the various parts of Authorization Code flow https://rograce.github.io/openid-connect-documentation/explore_auth_code_flow

User contributions licensed under: CC BY-SA
1 People found this is helpful
Advertisement