In this article we will share with you our understanding of oauth2 bearer token usage with RedHat SSO Keycloak.

1. Overview 

Access Token are defined by RFC 6750, and are of type Bearer Token.

Access Tokens are used to access to the content of a resource according to Oauth2 specification (RFC 6749).
The way to request access to resource is to use a bearer token type query in the request to the resource server, which will grant or deny access.
An access token is  of type of bearer token and is passed as parameter in the Oauth2 authorisation header query.

An access token is like a ticket which has got a time lifespan. It is delivered to the user, and allows access to the resource after validation
by the authorization sever.

2. Access token query example
Here an access token query example  returned from the RH-SSO token endpoint.

 

3. Access Token Instrospection

Below is shown how to access the access token content using the RH-SSO userinfo endpoint


1.
an access token is delivered to the user (access_token)
2. the user perform a query using the baccess token adding to the header: « Authorization: bearer $access_token »

 

4. RH-SSO Bearer token type allocator

In RH-SSO, it is possible to define clients:

  • using clientID/Client secret
  • using signed JWT
  • using bearer token

When application provides « Bearer token » as RH-SSO client authentication method, it means that:

  • there is no login interface to connect to the application
  • The only way to connect to the application is to use a bearer token (I.e access token).

 

In RH-SSO there is an example at
~/keycloak-2.5.x/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java

A bearer token is added to the authorizaton header with the bearer syntax: addHeader(« Authorization », « Bearer  » + session.getTokenString().

 

 

Olivier Rivat

Olivier Rivat

Senior Software Engineer with over 25 years of experience doing Software Development, Support and Consulting in Identity and Access Management Solutions.
Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.
Olivier Rivat