Add a new client that supports OAuth Authorization Code grant type in Keycloak

After we have added a new client with the OpenID Connect protocol in Keycloak, what we need to do to be able to use this client is to configure it to support the OAuth grant type we want. In this tutorial, I will show you how to add new and configure the client to support OAuth Authorization Code grant type in Keycloak!

Suppose I have created a new client named huongdanjava_authorization_code in Keycloak as follows:

By default, after creating a new client in Keycloak, this client will support the Authorization Code grant type and Resource Owner Password Credentials grant type (the Standard Flow Enabled field and the Direct Access Grants Enabled field are turned on). Please disable Resource Owner Password Credentials grant type by turning off field Direct Access Grants Enabled!

Because in the Authorization Code grant type, after the user logs in, the access grant page, consent screen, will be displayed, you can turn on or turn off this consent screen page with the Consent Required field. I will turn on this field as an example:

We can change the theme for the user’s login page using the Login Theme field. For your information, Keycloak supports us to customize Keycloak’s default login theme and many other things!

The Access Type for Authorization Code grant type is Confidential.

Another required information for the Authorization Code grant type that we need to configure is Redirect URIs using the Valid Redirect URIs field. These redirect URIs will be valid URIs that Keycloak can use for this client to return the authorization code after the user logs in and grants access to the Client Application. I will use https://oidcdebugger.com/ as an example for this tutorial, so I will configure the Redirect URI to be https://oidcdebugger.com/debug as follows:

The client secret information of this client will be in the Credentials tab:

At this point, we have completed the basic configuration for the client with the Authorization Code grant type!

To check the results, you can first use https://oidcdebugger.com/ as a Client Application to get the authorization code with the following configuration:

Authorize URI of Keycloak is http://localhost:8080/auth/realms/huongdanjava/protocol/openid-connect/auth where http://localhost:8080 is the server name and port number that Keycloak, we are using, running. huongdanjava is the realm name in which your client is defined.

We will not change the default Redirect URI of https://oidcdebugger.com/!

Client ID is the client that I just created above.

After entering the above information, please click the Send Request button at the bottom of this page. User information login page will display as follows:

Use user and password information to log in (refer to the tutorial Create new user in Keycloak!), you will see Keycloak’s default consent screen page displayed as follows:

Yes means that you agree to the Client Application to access the information displayed on this page, otherwise, if you change your mind, you can press the No button!

After clicking the Yes button, the authorization code will be returned to Client Application https://oidcdebugger.com as follows:

You can use this authorization code together with the client secret of the client to request to Keycloak to get the access token as follows:

Add Comment