Keycloak OpenID Connect

Client 생성

• Client

  • Create Client
    • General Settings
      • Client type: OpenID Connect
      • Client ID: <clientId>
    • Capability config
      • Client authenticatoion: On (secret or jwt or secret-jwt 중 하나로 클라이언트 인증을 수행하는 기능)
      • Authorization: Off (keycloak의 정책을 통해 접근 제어를 수행하는 기능)
      • Authentication flow
        • Standard flow
        • Direct access grants
  • <clientId> 선택
    • Settings
      • Enabled: On
      • Valid Redirect URIs
        • https://*
        • 가능한 좁은 범위로 설정하는 것이 좋습니다
    • Credentials
      • Client Authenticator: Client ID and Secret
      • Client Secret: <clientSecret>

Acess Token에 groups 추가

• Client Scopes

  • Create client scope
    • Name: groups
    • Protocol: OpenID Connect
    • Include in token scope: On
  • groups 선택
    • Mappers
      • Configure a new mapper
        • Group Membership 선택
          • Name: groups
          • Token Claim Name: groups
          • Full group path: Off
          • Add to access token: On

• Client

  • <clientId> 선택
    • Client Scopes
      • Add client scope
        • groups
          • Add: Default
      • <clientId>-dedicated 선택
        • Configure a new mapper
          • Audience 선택
            • Name: audience
            • Included Client Audience: <clientId>
            • Included Custom Audience: <clientId>
            • Add to access token: On

Test

• https://www.keycloak.org/docs/latest/server_development/#examples-of-using-curl

curl -k -X POST https://<keycloak-url>/realms/<realm>/protocol/openid-connect/token \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d "client_id=<clientId>" \
    -d "client_secret=<client-secret>" \
    -d "scope=openid" \
    -d "grant_type=password" \
    -d "username=<user>" \
    -d "password=<password>" \
    -d "totp=<otp>" \
| jq '.'